71cd3e3afcd5a2df4cc2092f8724b24c6a8cc7e6f44f77cc8174dac0a565f98b

General

Target

nuevo pedido#23785.exe
Size

430KB
MD5

45fe143aec6a446a2bfec96054dc923c
SHA1

a00719ef783406b10e44962ee6869e6a6fcc9e0d
SHA256

71cd3e3afcd5a2df4cc2092f8724b24c6a8cc7e6f44f77cc8174dac0a565f98b
SHA512

97967ad8de22d724541b985e0beb9ac68a5bfd2884df5d408fca79318dd9259e801dcfbddaacaf34bdc25128a1a00af78230bf818ce5c24b1ae3b18c545e540b

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nuevo pedido#23785.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nuevo pedido#23785.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nuevo pedido#23785.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

nuevo pedido#23785.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" nuevo pedido#23785.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	nuevo pedido#23785.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

nuevo pedido#23785.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nuevo pedido#23785.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nuevo pedido#23785.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nuevo pedido#23785.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	nuevo pedido#23785.exe

Program crash 36 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
352	356	WerFault.exe	iexplore.exe
1564	2904	WerFault.exe	iexplore.exe
1420	1556	WerFault.exe	iexplore.exe
424	440	WerFault.exe	iexplore.exe
2716	3232	WerFault.exe	iexplore.exe
1156	2244	WerFault.exe	iexplore.exe
1496	1380	WerFault.exe	iexplore.exe
1656	1692	WerFault.exe	iexplore.exe
2132	3492	WerFault.exe	iexplore.exe
2084	2148	WerFault.exe	iexplore.exe
2260	3176	WerFault.exe	iexplore.exe
3640	3036	WerFault.exe	iexplore.exe
4040	2268	WerFault.exe	iexplore.exe
1544	1048	WerFault.exe	iexplore.exe
2336	972	WerFault.exe	iexplore.exe
1832	1676	WerFault.exe	iexplore.exe
2528	68	WerFault.exe	iexplore.exe
3576	3484	WerFault.exe	iexplore.exe
3132	3512	WerFault.exe	iexplore.exe
2408	3188	WerFault.exe	iexplore.exe
1308	2160	WerFault.exe	iexplore.exe
3852	3828	WerFault.exe	iexplore.exe
1016	3752	WerFault.exe	iexplore.exe
1816	3104	WerFault.exe	iexplore.exe
2956	2232	WerFault.exe	iexplore.exe
300	4020	WerFault.exe	iexplore.exe
872	2524	WerFault.exe	iexplore.exe
3292	3268	WerFault.exe	iexplore.exe
1416	1456	WerFault.exe	iexplore.exe
3952	1540	WerFault.exe	iexplore.exe
1172	1460	WerFault.exe	iexplore.exe
2712	704	WerFault.exe	iexplore.exe
2972	3716	WerFault.exe	iexplore.exe
3796	1840	WerFault.exe	iexplore.exe
1480	2416	WerFault.exe	iexplore.exe
1588	3552	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 37 IoCs

Processes:

nuevo pedido#23785.exenuevo pedido#23785.exe

description	pid	process	target process
PID 3556 set thread context of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3140 set thread context of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1692	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3492	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2148	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3176	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3036	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2268	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1048	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 972	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1676	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 68	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3484	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3512	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3188	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2160	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3828	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3752	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3104	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 4020	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2524	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3268	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1456	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1540	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1460	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 704	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3716	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 1840	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 2416	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 set thread context of 3552	3140	nuevo pedido#23785.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nuevo pedido#23785.exe

pid	process
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe
3140	nuevo pedido#23785.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nuevo pedido#23785.exe

pid process

3140 nuevo pedido#23785.exe
Suspicious use of UnmapMainImage 3 IoCs

Processes:

iexplore.exe

pid process

972 iexplore.exe
972 iexplore.exe
972 iexplore.exe

pid	process
972	iexplore.exe
972	iexplore.exe
972	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

nuevo pedido#23785.exenuevo pedido#23785.exe

description	pid	process	target process
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3556 wrote to memory of 3140	3556	nuevo pedido#23785.exe	nuevo pedido#23785.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 356	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2904	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1556	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 440	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 3232	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 2244	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1380	3140	nuevo pedido#23785.exe	iexplore.exe
PID 3140 wrote to memory of 1692	3140	nuevo pedido#23785.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

nuevo pedido#23785.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nuevo pedido#23785.exe

C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
"C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
"C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 356 -s 24
4⤵
- Program crash
PID:352

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 24
4⤵
- Program crash
PID:1564

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 24
4⤵
- Program crash
PID:1420

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 24
4⤵
- Program crash
PID:424

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 24
4⤵
- Program crash
PID:2716

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 24
4⤵
- Program crash
PID:1156

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 24
4⤵
- Program crash
PID:1496

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 24
4⤵
- Program crash
PID:1656

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 24
4⤵
- Program crash
PID:2132

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 24
4⤵
- Program crash
PID:2084

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 24
4⤵
- Program crash
PID:2260

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 24
4⤵
- Program crash
PID:3640

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 24
4⤵
- Program crash
PID:4040

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 24
4⤵
- Program crash
PID:1544

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
- Suspicious use of UnmapMainImage
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 24
4⤵
- Program crash
PID:2336

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 24
4⤵
- Program crash
PID:1832

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:68

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 24
4⤵
- Program crash
PID:2528

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 24
4⤵
- Program crash
PID:3576

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 24
4⤵
- Program crash
PID:3132

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 24
4⤵
- Program crash
PID:2408

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 24
4⤵
- Program crash
PID:1308

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 24
4⤵
- Program crash
PID:3852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 24
4⤵
- Program crash
PID:1016

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 24
4⤵
- Program crash
PID:1816

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 24
4⤵
- Program crash
PID:2956

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 24
4⤵
- Program crash
PID:300

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 24
4⤵
- Program crash
PID:872

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 24
4⤵
- Program crash
PID:3292

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 24
4⤵
- Program crash
PID:1416

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 24
4⤵
- Program crash
PID:3952

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 24
4⤵
- Program crash
PID:1172

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 24
4⤵
- Program crash
PID:2712

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 24
4⤵
- Program crash
PID:2972

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 24
4⤵
- Program crash
PID:3796

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 24
4⤵
- Program crash
PID:1480

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\nuevo pedido#23785.exe
3⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 24
4⤵
- Program crash
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3140-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3556-115-0x0000000000060000-0x00000000000D2000-memory.dmp

Filesize
456KB

Download
memory/3556-116-0x0000000004DB0000-0x00000000052AE000-memory.dmp

Filesize
5.0MB

Download
memory/3556-117-0x0000000004950000-0x00000000049E2000-memory.dmp

Filesize
584KB

Download
memory/3556-118-0x0000000004920000-0x000000000492A000-memory.dmp

Filesize
40KB

Download
memory/3556-119-0x00000000048B0000-0x0000000004DAE000-memory.dmp

Filesize
5.0MB

Download
memory/3556-120-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/3556-121-0x0000000005410000-0x000000000541E000-memory.dmp

Filesize
56KB

Download
memory/3556-122-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/3556-123-0x00000000058D0000-0x0000000005932000-memory.dmp

Filesize
392KB

Download
memory/3556-124-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads