metasploit | 55dda01cfd510a816154e2123674bb9b04bafd22b56746193b3a098b43806040

General

Target

Photo19.JPG_www.tinypic.exe
Size

151KB
MD5

f9661b5a1d1f85b637f19c988c49d657
SHA1

1e2e92ea95b4a62134ab60c9752615427da454e6
SHA256

f5b1c8cb0afde9644af26732e236ceab656b16ea5ae358f43d5fa81d83b0e4f7
SHA512

3ae0a09d06c90a225aa051dc90237df5ddd3872ef26e6a8ddbef52b5e99a844e13ec3ecf684bdabe869818555ea0febf9c30ac72ac2fd94eaa97e93e05bf885a
SSDEEP

3072:j2zAHt8gc03EK2/3qHOdctCD9kyR2mg0xv6XlIz0E+4il+vDe:Q037M3SOdcti9ky8V0ZulIzF+4il+v6

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exePhoto19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Photo19.JPG_www.tinypic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	wmpdlp32.exe

Deletes itself 1 IoCs

Processes:

wmpdlp32.exe

pid process

2472 wmpdlp32.exe

pid	process
2472	wmpdlp32.exe

Executes dropped EXE 32 IoCs

Processes:

wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

pid	process
1152	wmpdlp32.exe
2472	wmpdlp32.exe
5088	wmpdlp32.exe
8	wmpdlp32.exe
4992	wmpdlp32.exe
1604	wmpdlp32.exe
4196	wmpdlp32.exe
4352	wmpdlp32.exe
624	wmpdlp32.exe
2412	wmpdlp32.exe
2940	wmpdlp32.exe
2580	wmpdlp32.exe
1200	wmpdlp32.exe
1020	wmpdlp32.exe
5004	wmpdlp32.exe
4916	wmpdlp32.exe
1648	wmpdlp32.exe
3368	wmpdlp32.exe
3524	wmpdlp32.exe
3612	wmpdlp32.exe
4020	wmpdlp32.exe
4236	wmpdlp32.exe
4616	wmpdlp32.exe
2872	wmpdlp32.exe
1944	wmpdlp32.exe
3100	wmpdlp32.exe
1748	wmpdlp32.exe
4480	wmpdlp32.exe
1508	wmpdlp32.exe
2024	wmpdlp32.exe
3564	wmpdlp32.exe
4848	wmpdlp32.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4744-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4744-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4744-3-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4744-4-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2472-42-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4744-44-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2472-49-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/8-53-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2472-54-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1604-62-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/8-63-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4352-70-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1604-72-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4352-81-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2412-80-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2412-90-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2580-88-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1020-99-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2580-100-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4916-107-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1020-109-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4916-117-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3612-124-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3368-126-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4236-133-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3612-137-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2872-144-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4236-147-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3100-153-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2872-157-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4480-164-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3100-167-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2024-175-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4480-178-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4848-185-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2024-188-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 34 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exePhoto19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Photo19.JPG_www.tinypic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Photo19.JPG_www.tinypic.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlp32.exe

Drops file in System32 directory 48 IoCs

Processes:

wmpdlp32.exewmpdlp32.exewmpdlp32.exePhoto19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	Photo19.JPG_www.tinypic.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	Photo19.JPG_www.tinypic.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlp32.exe	Photo19.JPG_www.tinypic.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlp32.exe
File created	C:\Windows\SysWOW64\wmpdlp32.exe	wmpdlp32.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

Photo19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

description	pid	process	target process
PID 536 set thread context of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 1152 set thread context of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 5088 set thread context of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 4992 set thread context of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4196 set thread context of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 624 set thread context of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 2940 set thread context of 2580	2940	wmpdlp32.exe	wmpdlp32.exe
PID 1200 set thread context of 1020	1200	wmpdlp32.exe	wmpdlp32.exe
PID 5004 set thread context of 4916	5004	wmpdlp32.exe	wmpdlp32.exe
PID 1648 set thread context of 3368	1648	wmpdlp32.exe	wmpdlp32.exe
PID 3524 set thread context of 3612	3524	wmpdlp32.exe	wmpdlp32.exe
PID 4020 set thread context of 4236	4020	wmpdlp32.exe	wmpdlp32.exe
PID 4616 set thread context of 2872	4616	wmpdlp32.exe	wmpdlp32.exe
PID 1944 set thread context of 3100	1944	wmpdlp32.exe	wmpdlp32.exe
PID 1748 set thread context of 4480	1748	wmpdlp32.exe	wmpdlp32.exe
PID 1508 set thread context of 2024	1508	wmpdlp32.exe	wmpdlp32.exe
PID 3564 set thread context of 4848	3564	wmpdlp32.exe	wmpdlp32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

Processes:

wmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exePhoto19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Photo19.JPG_www.tinypic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlp32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Photo19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

pid	process
4744	Photo19.JPG_www.tinypic.exe
4744	Photo19.JPG_www.tinypic.exe
4744	Photo19.JPG_www.tinypic.exe
4744	Photo19.JPG_www.tinypic.exe
2472	wmpdlp32.exe
2472	wmpdlp32.exe
2472	wmpdlp32.exe
2472	wmpdlp32.exe
8	wmpdlp32.exe
8	wmpdlp32.exe
8	wmpdlp32.exe
8	wmpdlp32.exe
1604	wmpdlp32.exe
1604	wmpdlp32.exe
1604	wmpdlp32.exe
1604	wmpdlp32.exe
4352	wmpdlp32.exe
4352	wmpdlp32.exe
4352	wmpdlp32.exe
4352	wmpdlp32.exe
2412	wmpdlp32.exe
2412	wmpdlp32.exe
2412	wmpdlp32.exe
2412	wmpdlp32.exe
2580	wmpdlp32.exe
2580	wmpdlp32.exe
2580	wmpdlp32.exe
2580	wmpdlp32.exe
1020	wmpdlp32.exe
1020	wmpdlp32.exe
1020	wmpdlp32.exe
1020	wmpdlp32.exe
4916	wmpdlp32.exe
4916	wmpdlp32.exe
4916	wmpdlp32.exe
4916	wmpdlp32.exe
3368	wmpdlp32.exe
3368	wmpdlp32.exe
3368	wmpdlp32.exe
3368	wmpdlp32.exe
3612	wmpdlp32.exe
3612	wmpdlp32.exe
3612	wmpdlp32.exe
3612	wmpdlp32.exe
4236	wmpdlp32.exe
4236	wmpdlp32.exe
4236	wmpdlp32.exe
4236	wmpdlp32.exe
2872	wmpdlp32.exe
2872	wmpdlp32.exe
2872	wmpdlp32.exe
2872	wmpdlp32.exe
3100	wmpdlp32.exe
3100	wmpdlp32.exe
3100	wmpdlp32.exe
3100	wmpdlp32.exe
4480	wmpdlp32.exe
4480	wmpdlp32.exe
4480	wmpdlp32.exe
4480	wmpdlp32.exe
2024	wmpdlp32.exe
2024	wmpdlp32.exe
2024	wmpdlp32.exe
2024	wmpdlp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Photo19.JPG_www.tinypic.exePhoto19.JPG_www.tinypic.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exewmpdlp32.exe

description	pid	process	target process
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 536 wrote to memory of 4744	536	Photo19.JPG_www.tinypic.exe	Photo19.JPG_www.tinypic.exe
PID 4744 wrote to memory of 1152	4744	Photo19.JPG_www.tinypic.exe	wmpdlp32.exe
PID 4744 wrote to memory of 1152	4744	Photo19.JPG_www.tinypic.exe	wmpdlp32.exe
PID 4744 wrote to memory of 1152	4744	Photo19.JPG_www.tinypic.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 1152 wrote to memory of 2472	1152	wmpdlp32.exe	wmpdlp32.exe
PID 2472 wrote to memory of 5088	2472	wmpdlp32.exe	wmpdlp32.exe
PID 2472 wrote to memory of 5088	2472	wmpdlp32.exe	wmpdlp32.exe
PID 2472 wrote to memory of 5088	2472	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 5088 wrote to memory of 8	5088	wmpdlp32.exe	wmpdlp32.exe
PID 8 wrote to memory of 4992	8	wmpdlp32.exe	wmpdlp32.exe
PID 8 wrote to memory of 4992	8	wmpdlp32.exe	wmpdlp32.exe
PID 8 wrote to memory of 4992	8	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 4992 wrote to memory of 1604	4992	wmpdlp32.exe	wmpdlp32.exe
PID 1604 wrote to memory of 4196	1604	wmpdlp32.exe	wmpdlp32.exe
PID 1604 wrote to memory of 4196	1604	wmpdlp32.exe	wmpdlp32.exe
PID 1604 wrote to memory of 4196	1604	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4196 wrote to memory of 4352	4196	wmpdlp32.exe	wmpdlp32.exe
PID 4352 wrote to memory of 624	4352	wmpdlp32.exe	wmpdlp32.exe
PID 4352 wrote to memory of 624	4352	wmpdlp32.exe	wmpdlp32.exe
PID 4352 wrote to memory of 624	4352	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 624 wrote to memory of 2412	624	wmpdlp32.exe	wmpdlp32.exe
PID 2412 wrote to memory of 2940	2412	wmpdlp32.exe	wmpdlp32.exe
PID 2412 wrote to memory of 2940	2412	wmpdlp32.exe	wmpdlp32.exe
PID 2412 wrote to memory of 2940	2412	wmpdlp32.exe	wmpdlp32.exe
PID 2940 wrote to memory of 2580	2940	wmpdlp32.exe	wmpdlp32.exe
PID 2940 wrote to memory of 2580	2940	wmpdlp32.exe	wmpdlp32.exe
PID 2940 wrote to memory of 2580	2940	wmpdlp32.exe	wmpdlp32.exe
PID 2940 wrote to memory of 2580	2940	wmpdlp32.exe	wmpdlp32.exe

C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe
"C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe
"C:\Users\Admin\AppData\Local\Temp\Photo19.JPG_www.tinypic.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\PHOTO1~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\PHOTO1~1.EXE
4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1200

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5004

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1648

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3524

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4020

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4236

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4616

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1944

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1748

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1508

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3564

C:\Windows\SysWOW64\wmpdlp32.exe
"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe
34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpdlp32.exe
Filesize
151KB

MD5
f9661b5a1d1f85b637f19c988c49d657

SHA1
1e2e92ea95b4a62134ab60c9752615427da454e6

SHA256
f5b1c8cb0afde9644af26732e236ceab656b16ea5ae358f43d5fa81d83b0e4f7

SHA512
3ae0a09d06c90a225aa051dc90237df5ddd3872ef26e6a8ddbef52b5e99a844e13ec3ecf684bdabe869818555ea0febf9c30ac72ac2fd94eaa97e93e05bf885a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-53-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/8-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1020-109-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1020-99-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1604-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1604-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2024-188-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2024-175-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2412-90-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2412-80-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2472-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2472-42-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2472-49-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2580-88-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2580-100-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2872-157-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2872-144-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3100-167-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3100-153-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3368-126-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3612-137-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3612-124-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4236-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4236-147-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4352-81-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4352-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4480-164-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4480-178-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4744-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4744-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4744-44-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4744-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4744-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4848-185-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4916-107-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4916-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads