metasploit | bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

Analysis

max time kernel
139s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Size

204KB
MD5

1f8d0272195363ed64bd8eabf0636f7c
SHA1

106c5a8a5e6aaa5a0e3484921d638ca384bb25f0
SHA256

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c
SHA512

cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f
SSDEEP

3072:9jdk2pchLit819xFqwJtHngbeHvVrbtduDJ55ik/JCjzII:x22pcISFqwDPVrjul5Mk/4HD

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 8 IoCs

Processes:

wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

pid process

1140 wmpdtc32.exe
1760 wmpdtc32.exe
316 wmpdtc32.exe
1860 wmpdtc32.exe
1508 wmpdtc32.exe
1652 wmpdtc32.exe
1648 wmpdtc32.exe
768 wmpdtc32.exe

pid	process
1140	wmpdtc32.exe
1760	wmpdtc32.exe
316	wmpdtc32.exe
1860	wmpdtc32.exe
1508	wmpdtc32.exe
1652	wmpdtc32.exe
1648	wmpdtc32.exe
768	wmpdtc32.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/912-55-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-58-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-57-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-63-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-64-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-65-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-66-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-87-0x0000000002F80000-0x0000000002FC9000-memory.dmp	upx
behavioral1/memory/1760-88-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/912-89-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1760-90-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1760-110-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1860-111-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1860-112-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1652-133-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1860-134-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1652-135-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/768-154-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1652-157-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/768-158-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

wmpdtc32.exe

pid process

1760 wmpdtc32.exe

pid	process
1760	wmpdtc32.exe

Loads dropped DLL 16 IoCs

Processes:

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

pid	process
912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
1140	wmpdtc32.exe
1140	wmpdtc32.exe
1760	wmpdtc32.exe
1760	wmpdtc32.exe
316	wmpdtc32.exe
316	wmpdtc32.exe
1860	wmpdtc32.exe
1860	wmpdtc32.exe
1508	wmpdtc32.exe
1508	wmpdtc32.exe
1652	wmpdtc32.exe
1652	wmpdtc32.exe
1648	wmpdtc32.exe
1648	wmpdtc32.exe

Maps connected drives based on registry 3 TTPs 10 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe

Drops file in System32 directory 12 IoCs

Processes:

wmpdtc32.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	pid	process	target process
PID 1632 set thread context of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1140 set thread context of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 316 set thread context of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 1508 set thread context of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1648 set thread context of 768	1648	wmpdtc32.exe	wmpdtc32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

pid	process
912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
1760	wmpdtc32.exe
1760	wmpdtc32.exe
1860	wmpdtc32.exe
1860	wmpdtc32.exe
1652	wmpdtc32.exe
1652	wmpdtc32.exe
768	wmpdtc32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	pid	process	target process
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 1632 wrote to memory of 912	1632	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 912 wrote to memory of 1140	912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 912 wrote to memory of 1140	912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 912 wrote to memory of 1140	912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 912 wrote to memory of 1140	912	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1140 wrote to memory of 1760	1140	wmpdtc32.exe	wmpdtc32.exe
PID 1760 wrote to memory of 316	1760	wmpdtc32.exe	wmpdtc32.exe
PID 1760 wrote to memory of 316	1760	wmpdtc32.exe	wmpdtc32.exe
PID 1760 wrote to memory of 316	1760	wmpdtc32.exe	wmpdtc32.exe
PID 1760 wrote to memory of 316	1760	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 316 wrote to memory of 1860	316	wmpdtc32.exe	wmpdtc32.exe
PID 1860 wrote to memory of 1508	1860	wmpdtc32.exe	wmpdtc32.exe
PID 1860 wrote to memory of 1508	1860	wmpdtc32.exe	wmpdtc32.exe
PID 1860 wrote to memory of 1508	1860	wmpdtc32.exe	wmpdtc32.exe
PID 1860 wrote to memory of 1508	1860	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1508 wrote to memory of 1652	1508	wmpdtc32.exe	wmpdtc32.exe
PID 1652 wrote to memory of 1648	1652	wmpdtc32.exe	wmpdtc32.exe
PID 1652 wrote to memory of 1648	1652	wmpdtc32.exe	wmpdtc32.exe
PID 1652 wrote to memory of 1648	1652	wmpdtc32.exe	wmpdtc32.exe
PID 1652 wrote to memory of 1648	1652	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe
PID 1648 wrote to memory of 768	1648	wmpdtc32.exe	wmpdtc32.exe

C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
"C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
"C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe"
2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\BBACD2~1.EXE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\BBACD2~1.EXE
4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
10⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
memory/316-94-0x0000000000000000-mapping.dmp

Download
memory/316-104-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/768-154-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/768-148-0x00000000004534E0-mapping.dmp

Download
memory/768-158-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-87-0x0000000002F80000-0x0000000002FC9000-memory.dmp

Filesize
292KB

Download
memory/912-86-0x0000000002F80000-0x0000000002FC9000-memory.dmp

Filesize
292KB

Download
memory/912-55-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-62-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/912-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-59-0x00000000004534E0-mapping.dmp

Download
memory/912-64-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-66-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/912-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1140-69-0x0000000000000000-mapping.dmp

Download
memory/1140-81-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1508-126-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1508-115-0x0000000000000000-mapping.dmp

Download
memory/1632-60-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1648-139-0x0000000000000000-mapping.dmp

Download
memory/1648-151-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1652-124-0x00000000004534E0-mapping.dmp

Download
memory/1652-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1652-157-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1652-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1652-152-0x00000000042B0000-0x00000000042F9000-memory.dmp

Filesize
292KB

Download
memory/1760-79-0x00000000004534E0-mapping.dmp

Download
memory/1760-90-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1760-110-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1760-88-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1860-132-0x0000000002EE0000-0x0000000002F29000-memory.dmp

Filesize
292KB

Download
memory/1860-112-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1860-111-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1860-131-0x0000000002EE0000-0x0000000002F29000-memory.dmp

Filesize
292KB

Download
memory/1860-103-0x00000000004534E0-mapping.dmp

Download
memory/1860-134-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads