metasploit | bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

Analysis

max time kernel
185s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Size

204KB
MD5

1f8d0272195363ed64bd8eabf0636f7c
SHA1

106c5a8a5e6aaa5a0e3484921d638ca384bb25f0
SHA256

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c
SHA512

cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f
SSDEEP

3072:9jdk2pchLit819xFqwJtHngbeHvVrbtduDJ55ik/JCjzII:x22pcISFqwDPVrjul5Mk/4HD

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 26 IoCs

Processes:

wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

pid	process
4156	wmpdtc32.exe
3748	wmpdtc32.exe
2388	wmpdtc32.exe
1788	wmpdtc32.exe
4024	wmpdtc32.exe
2996	wmpdtc32.exe
5012	wmpdtc32.exe
4800	wmpdtc32.exe
3020	wmpdtc32.exe
3108	wmpdtc32.exe
1616	wmpdtc32.exe
648	wmpdtc32.exe
4032	wmpdtc32.exe
4024	wmpdtc32.exe
4784	wmpdtc32.exe
4228	wmpdtc32.exe
4224	wmpdtc32.exe
2300	wmpdtc32.exe
1884	wmpdtc32.exe
2248	wmpdtc32.exe
4276	wmpdtc32.exe
4900	wmpdtc32.exe
2844	wmpdtc32.exe
5088	wmpdtc32.exe
1724	wmpdtc32.exe
632	wmpdtc32.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/204-133-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/204-136-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/204-137-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/204-138-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/204-148-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3748-150-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3748-159-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3748-161-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1788-162-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1788-171-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2996-173-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2996-174-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2996-184-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4800-185-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4800-193-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3108-196-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3108-206-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/648-207-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/648-217-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4024-218-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4024-226-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4228-229-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4228-238-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2300-240-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2300-250-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2248-251-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2248-260-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4900-262-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4900-266-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4900-267-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5088-273-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5088-274-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5088-275-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5088-285-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/632-287-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wmpdtc32.exe

Maps connected drives based on registry 3 TTPs 28 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdtc32.exe

Drops file in System32 directory 39 IoCs

Processes:

wmpdtc32.exewmpdtc32.exewmpdtc32.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	pid	process	target process
PID 768 set thread context of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 4156 set thread context of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 2388 set thread context of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 4024 set thread context of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 5012 set thread context of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 3020 set thread context of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 1616 set thread context of 648	1616	wmpdtc32.exe	wmpdtc32.exe
PID 4032 set thread context of 4024	4032	wmpdtc32.exe	wmpdtc32.exe
PID 4784 set thread context of 4228	4784	wmpdtc32.exe	wmpdtc32.exe
PID 4224 set thread context of 2300	4224	wmpdtc32.exe	wmpdtc32.exe
PID 1884 set thread context of 2248	1884	wmpdtc32.exe	wmpdtc32.exe
PID 4276 set thread context of 4900	4276	wmpdtc32.exe	wmpdtc32.exe
PID 2844 set thread context of 5088	2844	wmpdtc32.exe	wmpdtc32.exe
PID 1724 set thread context of 632	1724	wmpdtc32.exe	wmpdtc32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

wmpdtc32.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdtc32.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

pid	process
204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
3748	wmpdtc32.exe
3748	wmpdtc32.exe
3748	wmpdtc32.exe
3748	wmpdtc32.exe
1788	wmpdtc32.exe
1788	wmpdtc32.exe
1788	wmpdtc32.exe
1788	wmpdtc32.exe
2996	wmpdtc32.exe
2996	wmpdtc32.exe
2996	wmpdtc32.exe
2996	wmpdtc32.exe
4800	wmpdtc32.exe
4800	wmpdtc32.exe
4800	wmpdtc32.exe
4800	wmpdtc32.exe
3108	wmpdtc32.exe
3108	wmpdtc32.exe
3108	wmpdtc32.exe
3108	wmpdtc32.exe
648	wmpdtc32.exe
648	wmpdtc32.exe
648	wmpdtc32.exe
648	wmpdtc32.exe
4024	wmpdtc32.exe
4024	wmpdtc32.exe
4024	wmpdtc32.exe
4024	wmpdtc32.exe
4228	wmpdtc32.exe
4228	wmpdtc32.exe
4228	wmpdtc32.exe
4228	wmpdtc32.exe
2300	wmpdtc32.exe
2300	wmpdtc32.exe
2300	wmpdtc32.exe
2300	wmpdtc32.exe
2248	wmpdtc32.exe
2248	wmpdtc32.exe
2248	wmpdtc32.exe
2248	wmpdtc32.exe
4900	wmpdtc32.exe
4900	wmpdtc32.exe
4900	wmpdtc32.exe
4900	wmpdtc32.exe
5088	wmpdtc32.exe
5088	wmpdtc32.exe
5088	wmpdtc32.exe
5088	wmpdtc32.exe
632	wmpdtc32.exe
632	wmpdtc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exebbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exewmpdtc32.exe

description	pid	process	target process
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 768 wrote to memory of 204	768	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
PID 204 wrote to memory of 4156	204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 204 wrote to memory of 4156	204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 204 wrote to memory of 4156	204	bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 4156 wrote to memory of 3748	4156	wmpdtc32.exe	wmpdtc32.exe
PID 3748 wrote to memory of 2388	3748	wmpdtc32.exe	wmpdtc32.exe
PID 3748 wrote to memory of 2388	3748	wmpdtc32.exe	wmpdtc32.exe
PID 3748 wrote to memory of 2388	3748	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 2388 wrote to memory of 1788	2388	wmpdtc32.exe	wmpdtc32.exe
PID 1788 wrote to memory of 4024	1788	wmpdtc32.exe	wmpdtc32.exe
PID 1788 wrote to memory of 4024	1788	wmpdtc32.exe	wmpdtc32.exe
PID 1788 wrote to memory of 4024	1788	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 4024 wrote to memory of 2996	4024	wmpdtc32.exe	wmpdtc32.exe
PID 2996 wrote to memory of 5012	2996	wmpdtc32.exe	wmpdtc32.exe
PID 2996 wrote to memory of 5012	2996	wmpdtc32.exe	wmpdtc32.exe
PID 2996 wrote to memory of 5012	2996	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 5012 wrote to memory of 4800	5012	wmpdtc32.exe	wmpdtc32.exe
PID 4800 wrote to memory of 3020	4800	wmpdtc32.exe	wmpdtc32.exe
PID 4800 wrote to memory of 3020	4800	wmpdtc32.exe	wmpdtc32.exe
PID 4800 wrote to memory of 3020	4800	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3020 wrote to memory of 3108	3020	wmpdtc32.exe	wmpdtc32.exe
PID 3108 wrote to memory of 1616	3108	wmpdtc32.exe	wmpdtc32.exe
PID 3108 wrote to memory of 1616	3108	wmpdtc32.exe	wmpdtc32.exe
PID 3108 wrote to memory of 1616	3108	wmpdtc32.exe	wmpdtc32.exe
PID 1616 wrote to memory of 648	1616	wmpdtc32.exe	wmpdtc32.exe
PID 1616 wrote to memory of 648	1616	wmpdtc32.exe	wmpdtc32.exe
PID 1616 wrote to memory of 648	1616	wmpdtc32.exe	wmpdtc32.exe
PID 1616 wrote to memory of 648	1616	wmpdtc32.exe	wmpdtc32.exe

C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
"C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe
"C:\Users\Admin\AppData\Local\Temp\bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\BBACD2~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\BBACD2~1.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:648

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4032

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4224

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
20⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1884

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
22⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4276

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
24⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2844

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
26⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1724

C:\Windows\SysWOW64\wmpdtc32.exe
"C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
28⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
C:\Windows\SysWOW64\wmpdtc32.exe
Filesize
204KB

MD5
1f8d0272195363ed64bd8eabf0636f7c

SHA1
106c5a8a5e6aaa5a0e3484921d638ca384bb25f0

SHA256
bbacd2d7ae6cbde26819cd2b917b82cb01f57247872159d0b79a1c0dfba45a1c

SHA512
cc4c06ab376e81695c0c06a9b008b432d851496c5c1cee15d4e3b455d04d32e3f43e117a2eccf5d57e1c25d1dd17ee7e4df3871038ea1333de89ba4be71dcf5f

Download Submit
memory/204-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/204-132-0x0000000000000000-mapping.dmp

Download
memory/204-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/204-137-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/204-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/204-148-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/632-279-0x0000000000000000-mapping.dmp

Download
memory/632-287-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/648-217-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/648-199-0x0000000000000000-mapping.dmp

Download
memory/648-207-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/768-135-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1616-197-0x0000000000000000-mapping.dmp

Download
memory/1616-201-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1724-282-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1724-278-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1724-276-0x0000000000000000-mapping.dmp

Download
memory/1788-153-0x0000000000000000-mapping.dmp

Download
memory/1788-171-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1788-162-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1884-241-0x0000000000000000-mapping.dmp

Download
memory/1884-247-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2248-243-0x0000000000000000-mapping.dmp

Download
memory/2248-251-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2248-260-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-250-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-232-0x0000000000000000-mapping.dmp

Download
memory/2300-240-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2388-151-0x0000000000000000-mapping.dmp

Download
memory/2388-157-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2844-271-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2844-265-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2844-263-0x0000000000000000-mapping.dmp

Download
memory/2996-165-0x0000000000000000-mapping.dmp

Download
memory/2996-173-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-174-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2996-184-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3020-191-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3020-186-0x0000000000000000-mapping.dmp

Download
memory/3108-188-0x0000000000000000-mapping.dmp

Download
memory/3108-206-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3108-196-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3748-161-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3748-142-0x0000000000000000-mapping.dmp

Download
memory/3748-159-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3748-150-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4024-218-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4024-210-0x0000000000000000-mapping.dmp

Download
memory/4024-163-0x0000000000000000-mapping.dmp

Download
memory/4024-226-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4024-167-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4032-213-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4032-208-0x0000000000000000-mapping.dmp

Download
memory/4156-139-0x0000000000000000-mapping.dmp

Download
memory/4156-145-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4224-230-0x0000000000000000-mapping.dmp

Download
memory/4224-235-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4228-238-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4228-221-0x0000000000000000-mapping.dmp

Download
memory/4228-229-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4276-252-0x0000000000000000-mapping.dmp

Download
memory/4276-258-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4784-219-0x0000000000000000-mapping.dmp

Download
memory/4784-224-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4800-193-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4800-177-0x0000000000000000-mapping.dmp

Download
memory/4800-185-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4900-254-0x0000000000000000-mapping.dmp

Download
memory/4900-267-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4900-266-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4900-262-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5012-181-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5012-175-0x0000000000000000-mapping.dmp

Download
memory/5088-275-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5088-274-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5088-273-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5088-268-0x0000000000000000-mapping.dmp

Download
memory/5088-285-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download