Malware Analysis Report

2025-05-06 00:24

Sample ID 241109-z84zzssfje
Target 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N
SHA256 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9

Threat Level: Shows suspicious behavior

The file 49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:24

Reported

2024-11-09 21:26

Platform

win7-20240903-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
File created C:\Program Files (x86)\259471205.dat C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrotray .exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
File created C:\Program Files (x86)\259470862.dat \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrotray.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437349344" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000d8c08134cccebf37d0ea6b6b4a36ba5d6fc491c746d932d1a9462463203e084f000000000e80000000020000200000000f4aeec286f3991cf50fa3a77a6eb8567318142db2bedf1fb0925c56cfbad3a4200000005bfd28084a99bcc50ed7acdeae565c0cb5c6b0c6aba328ec015211d8e38a89da40000000e613feead18b928a95ee1a1b23e61f56e9be80451b5ee5ff747d6bd902f753527039642adc0ea7ad388b44200a4f1dcf6e8f4a4f1fe24deb946d699e3799ecab C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000001e3d364773b4ef897d8cee0445780c284c464da2061e7183ab5e842debb43b43000000000e8000000002000020000000d2e0bcd4d162a317c71664f7bfaf5d1636ad8abe7f18c07cd161844445f2f63090000000049332a8b00f759812a7a7fc0cd163d789f74104fc63b0a53873e22b77c0dc8e14b903edfc5a3ba37f98f9d3386697ee986e2a8afd1a80ae2f1f78e80fc8c0741fe616979e29cc3bfd159a0ef2e296ae14cc6b5d79da5d850f959fba4cb002d0c73247bb3b733c0b7fa9b0ededce635a2e16f7a0bf346b19cd0be4bb37fe3eded46c7e7c7127ff5442086b5f54cc9ad1400000003e9e4876cdae5b23546683ab605543f4523a994a8f0719bdeeaeecd7709eb8a680c77b53eefe01185c1a0ff7085ee2467a078cc758af960eaa1442e5e128a223 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00d25cced32db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05C16F81-9EE1-11EF-9204-FE6EB537C9A6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1868 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1868 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1868 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2552 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 3028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2200 wrote to memory of 1652 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2200 wrote to memory of 1652 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2200 wrote to memory of 1652 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2200 wrote to memory of 1652 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2200 wrote to memory of 2016 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2200 wrote to memory of 2016 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2200 wrote to memory of 2016 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2200 wrote to memory of 2016 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2552 wrote to memory of 2444 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2444 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2444 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2444 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1652 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1248 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe

"C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe"

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:537606 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.supernetforme.com udp
NL 82.192.82.225:80 www.supernetforme.com tcp
NL 82.192.82.225:80 www.supernetforme.com tcp
US 8.8.8.8:53 ww1.supernetforme.com udp
US 199.59.243.227:80 ww1.supernetforme.com tcp
US 199.59.243.227:80 ww1.supernetforme.com tcp
NL 82.192.82.225:80 www.supernetforme.com tcp
NL 82.192.82.225:80 www.supernetforme.com tcp
US 199.59.243.227:80 ww1.supernetforme.com tcp
US 199.59.243.227:80 ww1.supernetforme.com tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.superwebbysearch.com udp
US 192.157.56.140:80 www.superwebbysearch.com tcp
US 192.157.56.140:80 www.superwebbysearch.com tcp
US 8.8.8.8:53 ww1.superwebbysearch.com udp
US 199.59.243.227:80 ww1.superwebbysearch.com tcp
US 199.59.243.227:80 ww1.superwebbysearch.com tcp

Files

memory/1868-0-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/1868-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1868-2-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

MD5 444f79a0afb562b59d0a340357717397
SHA1 66e504d673b92cb3291c5469f86130662cb03ba5
SHA256 eb5bcd420b8d8db8e852cac02771bf9c85532b5dcaef03b20eaebf4cfe472fda
SHA512 391def8cf6a6821ff1686962d4a6797993e70788ef280a0ce8d75e4531494f8bd2fbcc60921da5e4c439934cfd4136476d0fd5eb853e4f74a7a19aa5393dfd7e

\Program Files (x86)\Internet Explorer\wmpscfgs.exe

MD5 efe6c111110cdd4ed1eb18af4ef09481
SHA1 d49d0c2a690c76f07c1fcfa1237e9ce59e1089c7
SHA256 68243cb7c1e9f51c89dc59850dba601c0d39220441e5b6c7a76e05dfde5264c4
SHA512 8efee3e5a80ea8156ff0b583beab922ed14b0cc26d0fe8495f7d684bb19b9359a7db3a6b7843d2f40482abb577b427c8a001a55b4c1eba76873bf6830d993619

memory/2720-30-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-29-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/1868-28-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/1868-27-0x0000000005030000-0x00000000059EB000-memory.dmp

memory/1868-26-0x0000000005030000-0x00000000059EB000-memory.dmp

memory/1868-25-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2200-33-0x0000000010000000-0x0000000010010000-memory.dmp

memory/2200-39-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-40-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2720-42-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2720-41-0x0000000000400000-0x0000000000DBB000-memory.dmp

\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

MD5 93b4be302cb18a7513b72309fa37ca98
SHA1 ccfeffe9bb8b12abf68827c46a14da6ae14e4aa7
SHA256 607f0646370b167938f7381665f44c4840c499c47c157cf86536bebfa7e43644
SHA512 fe7e1bece2818238a24ca7fe375db6b065775f838d9de58d2a7e1bc1bed4d5e40746c9896d8de21eda5c864e3f1a7d45ad1a1f6cdd8525de76187c6a206de1f4

memory/2720-50-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

\??\c:\program files (x86)\adobe\acrotray .exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2200-56-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2720-57-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-65-0x0000000004AE0000-0x000000000549B000-memory.dmp

memory/2200-63-0x0000000004AE0000-0x000000000549B000-memory.dmp

memory/2016-73-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-78-0x00000000028E0000-0x00000000028E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OXCE5RZ5.txt

MD5 c6725fdf848513905aecca254ae9c9e4
SHA1 d0f823395cf192ba63c2cd7a4d75b991a62f50e6
SHA256 de3f3c555733da57c252c6f72dffe0cc06536bf118144a6efdc5dbf19241cb38
SHA512 f65650c904981bc0f706083735cff5aace38ca0c43090410380786ccb55bdff047dc3a2336a1e148fb2f49283e96525d64fcae43d68291f6ebd99868fb2616dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QA6KMSXO.txt

MD5 9cb045e7cec67f4fa8119b9816170e4f
SHA1 14a132bfdcc777a988cea1c7d00c4d6a31db56b0
SHA256 49afe12c7bb4c7eb54e5651e77c118974e7f5ebb2a3bc6571bdd01e8db51208f
SHA512 1a7b5927ed38aac2596da9ceb0ef237544253874a6b20c235a209f36b0d71200b3fef476ff2ef46b5ab90a922a283468f2c2d4e46953c1d0b8a5c5a4d13825b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\bkSlltbjV[1].js

MD5 ce07affa04803b8889da4add31fd43dc
SHA1 0fb5a8fcee96a30571493eab29d0e2a6555a16ff
SHA256 8c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f
SHA512 f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f

memory/1652-98-0x0000000000400000-0x0000000000DBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab602C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar608D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e699d5e94d3a191e83854a4a57aff988
SHA1 a95a3c17362c3a0f1a8c7f2cea46ffc35b4d49a2
SHA256 ef5c6ae4b7282e30ff37471a33205af2fa555abdb6f9d5b214ae0c6ff4b5bb5a
SHA512 cbef3b4964e51a8afeaf26897c23bf561e49c2117ac07b2bc6b64862446ac69da4f9a0e1ac2185f21929e7fa313ad39419707a99d920572960356138c9da491f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f66bf5fe0ed001390ed1669252dbe6a
SHA1 5f540632bb26c951ff6db1c0899fe54d94af51cf
SHA256 aa926867ee9d69c161a599c5d9bfe1b979c940b057764052ebb8ef0e4f370723
SHA512 534821bfa63235249a140feca1cfb79925c80a23f4ee23e9c1b9442a470a913ef92bf82a791375636ec491b2e16a49904f044f856efdc5a2486bd92d77ccb85e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 144e39ab4fb6fe2eeff76a39f1978156
SHA1 bb37ca3221fe7f7f5a1fa3b88452df153f43c1e1
SHA256 9b286a6073aeadf6a1f6ea72322dd82be71cf341925fe0df72b84f0fdbea09fd
SHA512 4c9c4a662eb12c096077aa68aeb69b161d51df29907313f1173c326f98866410f9c129080dbd2a5690552d7c2b29f8a1edb39d769131847782f5e0c1c84d43bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adbd8cfad64c4b0ed187a320c2ee791c
SHA1 6bd4b7a84eadcb74dfd1da199a339e9c24828c8e
SHA256 571f1227dabff242e32e700b390a6c32c3585013c3b29aff9c95a4ee551d8c67
SHA512 e83c33b4dc392e62c90109277a29d7491f6b925ae5f84d46339cfe5d051f975279abd5b08286a8c453821d958b26a47989912c9e90fda2f342fd3e0f496e5229

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e847d0955d402e0092d3718e2eb419b
SHA1 d5f937eb7898be4f8993071de31eb9d55a019ba8
SHA256 501ab426125065d67b0a8125461e286dba1ed7dac9c20e6a43f21e0c81c905c0
SHA512 37531a487ecb829958887f70478afe2bc63ff687fc182aaa4d8b7219cf7d36626aa918f3180104c6d40bd08a907947012642ac950c1720954dafd72019b38676

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7ddba85f4b0a4c579549f16daa2fd45
SHA1 e8a18be4fd3f5a6a6aed6ebd4cac6ad049b1713b
SHA256 6ae4cc8f4d2053518af67466f8898963886436b8332b953cb1e6eae9061f9a97
SHA512 a847567d3fd362ddf75fa593f11360e4f42f2dc05fe3d929ee2c15e333a01985a449bba30eb52e077d7e6b1a9818a721e6eecb8be824be39c676bcf1466c046e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26e47a30a01001b7955e5b0d0a233633
SHA1 0f29397e01e18e59c3fd84a6878506486185fe92
SHA256 deff90cd46472fc05902c180c5909dc7a4a43144546b157c2277a13d00f8a8b0
SHA512 e3f554ca699564cd7a0a0195a3e36364e5c60c7f06b71fba8f0a4ac46e149707ca4f54a1a4718e640744268d5569a8c5ea4ba52bbda64e597ad4d2778accfd6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b98bd9e64222e21557fc81e93e9c651
SHA1 54b7bccf736cac381a30fd38894ac87173e862e5
SHA256 c058f8c0dca72550b0859115937fce6388b111b2c7dfc05709ca4c22c0021241
SHA512 1f19e3aa5d7571f5cf0d2a3e47ffbeab1915440344308e0cc9aed17939722d3f936f09312bab7462a16f0b2aade82395f794667cc0ea6fb9c0b6bd7d0d2f1a4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0c528677ea8ca49af8584279e242854
SHA1 f336a7cc23f58bea1f1a4885caf8a4d3f2f82cbb
SHA256 0bce3b14a16f090f937d4169997b751bb15cabe1c4b1ddd79f5a183f83b88e3c
SHA512 5df671040d02b618cebfe7a0f7811fa8412ca53f6e9e2d257324dc0f2b9b4d66619e8df2336458157355ec851a47ee1284bf7c4122677e3ddf109b032f8e401f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88b64a419740f39bd31ac5281601e4ff
SHA1 e636357638e504baa7b3e8b69645c7f75de47a9a
SHA256 cb331019861ff77d205e80ad6be78a044e02122b3d68d0afa1bed649149dd6e8
SHA512 918a91ed4fa4c87c1eaa4d257b2778235fb0a2493910787852bfa2cce9d2e2c0a8b8b822994a3c774c1303faa4b7d1629b2b338ed7b458d950dc41419d5d6f6e

memory/2200-527-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-529-0x0000000004AE0000-0x000000000549B000-memory.dmp

memory/2720-528-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-530-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2720-531-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2720-537-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-542-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-543-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-545-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-546-0x0000000000400000-0x0000000000DBB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7be67d3d793300302822dfd4d614f8b5
SHA1 5546941f1f6317640c0ce8e991f59d6fbcf731e2
SHA256 8d133b7801627043f7eeae4b3929e0a0da43f80f01ccfd163bf212001023f12c
SHA512 b4c913c65829444cdd62cc0f47f64f176fe925a87253f865768a20e9fb59c222bcec552209ca781ba8981011c35e871606b1766ddf997738c6e6b0e9d55a858f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8ba41b884acc73207154b8405f72ccc
SHA1 9bb801ff5624eae385d98cfa40f9dd41cb63a7c0
SHA256 5bf03e4d7c89317d3f4fb24d6b1ad8742fc53273e35c8f6f2f056aec9ea9a86b
SHA512 12e6141564f4b829934abca0b33a7934f99718950f2e9738dab7f37bd8d4c07e90702f03fbda8ee955a776b54cba2640b60d174830eefd9e421a9a9845e86cc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 212abf52fe1abf8b936e6f824a3077ef
SHA1 8cf89cac85d5c546d8127940c37cf097171e87cc
SHA256 5c3c2b1f6075d80f80361b15e16c9ed07112173538954749318ecd6b0edb0eec
SHA512 e128399a34ceb7dc7d3bae1ace3623fb553ae4c904510abf1dc5646845918f1fe0ed3e1efc4f28757a12cae867b4f5f2840f93bc551e770cad62abd56db8e471

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 658691f73be4d39faa17a70e026d18ed
SHA1 7736990564c88c48bcb463a62dc1ae6a682b90a5
SHA256 38059a29ee67071e54f7274ac06b152f1bc3c185058a12c45f4c4be5da8f4a04
SHA512 5eaa9dbac9b9cd84965fbdbc8ad1757eb148ba822d3b5e12b3b4e0dc1839640ae933200dab31174043d524708d405594c4979f1437961bc3b09f51a8f8b54383

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4d531a0f0a0a9e9c2520e70001740b2
SHA1 e1778ec04c2a675ea6f7848351372d2e3b2337f1
SHA256 3e7a20a0f8d2d9208080ba789958c8b255357acdf11d153b807dab809cf30747
SHA512 78cb6b04afccce9d7793673a96e5a6cce5b7a552ddb8d8216fef5d83a9685c0e3786ffc44d19b09aa785d5494782da426d0261f0efeadf86814e895e160445a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf089c3ae21e934bc9db7e3018502159
SHA1 aa95367914ea5206b0290f30804b9e8bb0b5784f
SHA256 2585a3ab680b03e824c5544906ecc5cd1090ba2bb7e7a1c6104f91ad949929cd
SHA512 5ff42b5a8d16738a68b5e2804eddb8a20982af5f0aff7cfc0ff4c37f482372bd11fff7ee08571bca07db220a6135421e6685289d5df95a72f7c847a6173af792

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75d0cec6fa0ad974704ee2e8a447e641
SHA1 cb7dfa6fbeb7c928a179bfd10abc129218fc562f
SHA256 30253e763449929bb85dc32d352bedbbf1ab6fdf9a68c48f2b1c229b8b8163af
SHA512 4dc55526a560da87df04f1801ff0ef8336a2bc29dbde3113d3c0ad404eefe36d60c33f17e285bf10e6a134b58b902fe343f30cb4efcbf8fdf938118094a7735a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67af962e138fe028d5c73c05c656b5bf
SHA1 ab0d90d09d9577dc5b4067736a7381ecc633a9bf
SHA256 4c8e15031d670362d9bf78aa99122ad8fbf4acf4d298c65cce6cddfd99f16976
SHA512 a73bffc8b9a13b95e7d73863506aeb06153755eca52fe1e398e697599cf519d824fae1f59855664d81074c8821cb2e5d6926d4214abfa1e6bb387b44e0ac4a3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee723000a0e259d0731d8580bff3a673
SHA1 3cdf6f6b58abb987cbb2f2af0fd439ccc7eb4589
SHA256 d9d56ac4e3cd4a2e9b76ae86f3caac73133ae1eaac89d69e298936f1fcbffa35
SHA512 c7c59cb7c24674821a9988f3774526ffdbefaf70598ad801990d05f4d280eab0a589d95e2429c8f66bcfaf5e49cda16ca4abe3272344954a2184db934eb4a189

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e73917c0b8791d4ee534aef0467ad964
SHA1 9bb11b65617d05b492c29fe166806acf49850b1c
SHA256 bbb5870479326bc096b29f3bb24438d57f63010260fc3c34a80964aceda421e9
SHA512 8c69774b435e6d05fa5ee3cac4a65926021d186f0e0bcb87e740070275ba6a8187e6a55e736d5a8735e6b0b87f70085616647bf7d1f99fe76bce5006410f89e5

memory/2200-986-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-987-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/2200-1002-0x0000000000400000-0x0000000000DBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:24

Reported

2024-11-09 21:26

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe

"C:\Users\Admin\AppData\Local\Temp\49b5a95d6794e15745fb356f6ae713d0a5f9c2116fe4eac3b9d2b7d3bb4ba1d9N.exe"

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4564-0-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/4564-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/4564-2-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

MD5 700e80da33ae19edefb49d7e2c1e9f39
SHA1 db2ead23d837a4a220cfdd1e8d0c2c5374b92bc2
SHA256 816a4010109cdd0ee48e0ae4180ced3eec42fc7ecc5c22eec3462d8739d6d478
SHA512 6659c5d2b19fc61fbf212eaf2d976dc926f21d36f1191fc3cfbabac1157ca47fc84ff5207f448b20b28c4ef39a7ff19df3509df396882393533ee6298732160f

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

MD5 40070b1d40e4f7fc91768f87aafd605b
SHA1 6f553870c0d2ee3b5adabc947c2161d074232959
SHA256 e5f64c3b3eb7e473c8b87689cf56daeff233f474b977b49aad58d8e16bccf68a
SHA512 ee9a7b929deb5687584d6b45e428d213622e2170b7d1285a58d24ac955f159dcce5ca7f5f146df215fbfd3af8768db9efea9d8c999b1dbe8ffb1a6e60304cf3c

memory/4564-15-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/4840-16-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/4564-17-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/5032-18-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/4840-19-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/4840-21-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/4840-23-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/5032-24-0x0000000000400000-0x0000000000DBB000-memory.dmp

memory/5032-25-0x000000007FA70000-0x000000007FE41000-memory.dmp