Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 22:14
Behavioral task
behavioral1
Sample
Picture51.JPG_www.facebook.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
General
-
Target
Picture51.JPG_www.facebook.exe
-
Size
247KB
-
MD5
9ab9b29ed9665f438fd932b48125c0ce
-
SHA1
b18cc46c6adfa4f31e8757eb3893ec2defa025c0
-
SHA256
70e0d40ed37dc9f6d6034443f384569e277f0aa08355096e203b8c5da61ee36a
-
SHA512
3c4a2b0b41f083f8ad873b0c09e1a358cc9c0d61a74b1816bc774d51c7d79fc81b7e0faa41c84024bb55648ae9f103e2886f4faeacbc1f6a10d3c5ee15abd2d7
-
SSDEEP
6144:kpOWBNDeyzuJBeuqc593Kb6UMuxbPPPzgnPbOB1emoxzU53:svBTKefc59ouSbPzgPbO7Zol43
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2556 wmpdlr32.exe -
Executes dropped EXE 16 IoCs
pid Process 2556 wmpdlr32.exe 2600 wmpdlr32.exe 2724 wmpdlr32.exe 580 wmpdlr32.exe 828 wmpdlr32.exe 1660 wmpdlr32.exe 2148 wmpdlr32.exe 2500 wmpdlr32.exe 2072 wmpdlr32.exe 1272 wmpdlr32.exe 1464 wmpdlr32.exe 2916 wmpdlr32.exe 1244 wmpdlr32.exe 2776 wmpdlr32.exe 2576 wmpdlr32.exe 2668 wmpdlr32.exe -
Loads dropped DLL 32 IoCs
pid Process 2696 Picture51.JPG_www.facebook.exe 2696 Picture51.JPG_www.facebook.exe 2556 wmpdlr32.exe 2556 wmpdlr32.exe 2600 wmpdlr32.exe 2600 wmpdlr32.exe 2724 wmpdlr32.exe 2724 wmpdlr32.exe 580 wmpdlr32.exe 580 wmpdlr32.exe 828 wmpdlr32.exe 828 wmpdlr32.exe 1660 wmpdlr32.exe 1660 wmpdlr32.exe 2148 wmpdlr32.exe 2148 wmpdlr32.exe 2500 wmpdlr32.exe 2500 wmpdlr32.exe 2072 wmpdlr32.exe 2072 wmpdlr32.exe 1272 wmpdlr32.exe 1272 wmpdlr32.exe 1464 wmpdlr32.exe 1464 wmpdlr32.exe 2916 wmpdlr32.exe 2916 wmpdlr32.exe 1244 wmpdlr32.exe 1244 wmpdlr32.exe 2776 wmpdlr32.exe 2776 wmpdlr32.exe 2576 wmpdlr32.exe 2576 wmpdlr32.exe -
resource yara_rule behavioral1/memory/2696-0-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2696-2-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2696-3-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/files/0x00080000000120cd-7.dat upx behavioral1/memory/2556-15-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2556-16-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2696-18-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2556-19-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2556-20-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2556-27-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2600-33-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2724-32-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2600-35-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2724-38-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2724-41-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/580-47-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/580-49-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/828-50-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/828-55-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1660-60-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1660-63-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2148-66-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2148-68-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2500-73-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2072-72-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2500-75-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2072-80-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2072-83-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1272-85-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1272-89-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1464-97-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2916-96-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1464-99-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1244-105-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2916-101-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2916-107-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1244-110-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1244-113-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2776-116-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2576-119-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2776-120-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2576-123-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2576-126-0x0000000000400000-0x0000000000461000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Picture51.JPG_www.facebook.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Picture51.JPG_www.facebook.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdlr32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe Picture51.JPG_www.facebook.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ Picture51.JPG_www.facebook.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe Picture51.JPG_www.facebook.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File created C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\wmpdlr32.exe wmpdlr32.exe File opened for modification C:\Windows\SysWOW64\ wmpdlr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picture51.JPG_www.facebook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdlr32.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2696 Picture51.JPG_www.facebook.exe 2696 Picture51.JPG_www.facebook.exe 2556 wmpdlr32.exe 2556 wmpdlr32.exe 2600 wmpdlr32.exe 2600 wmpdlr32.exe 2724 wmpdlr32.exe 2724 wmpdlr32.exe 580 wmpdlr32.exe 580 wmpdlr32.exe 828 wmpdlr32.exe 828 wmpdlr32.exe 1660 wmpdlr32.exe 1660 wmpdlr32.exe 2148 wmpdlr32.exe 2148 wmpdlr32.exe 2500 wmpdlr32.exe 2500 wmpdlr32.exe 2072 wmpdlr32.exe 2072 wmpdlr32.exe 1272 wmpdlr32.exe 1272 wmpdlr32.exe 1464 wmpdlr32.exe 1464 wmpdlr32.exe 2916 wmpdlr32.exe 2916 wmpdlr32.exe 1244 wmpdlr32.exe 1244 wmpdlr32.exe 2776 wmpdlr32.exe 2776 wmpdlr32.exe 2576 wmpdlr32.exe 2576 wmpdlr32.exe 2668 wmpdlr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2556 2696 Picture51.JPG_www.facebook.exe 30 PID 2696 wrote to memory of 2556 2696 Picture51.JPG_www.facebook.exe 30 PID 2696 wrote to memory of 2556 2696 Picture51.JPG_www.facebook.exe 30 PID 2696 wrote to memory of 2556 2696 Picture51.JPG_www.facebook.exe 30 PID 2556 wrote to memory of 2600 2556 wmpdlr32.exe 31 PID 2556 wrote to memory of 2600 2556 wmpdlr32.exe 31 PID 2556 wrote to memory of 2600 2556 wmpdlr32.exe 31 PID 2556 wrote to memory of 2600 2556 wmpdlr32.exe 31 PID 2600 wrote to memory of 2724 2600 wmpdlr32.exe 32 PID 2600 wrote to memory of 2724 2600 wmpdlr32.exe 32 PID 2600 wrote to memory of 2724 2600 wmpdlr32.exe 32 PID 2600 wrote to memory of 2724 2600 wmpdlr32.exe 32 PID 2724 wrote to memory of 580 2724 wmpdlr32.exe 33 PID 2724 wrote to memory of 580 2724 wmpdlr32.exe 33 PID 2724 wrote to memory of 580 2724 wmpdlr32.exe 33 PID 2724 wrote to memory of 580 2724 wmpdlr32.exe 33 PID 580 wrote to memory of 828 580 wmpdlr32.exe 34 PID 580 wrote to memory of 828 580 wmpdlr32.exe 34 PID 580 wrote to memory of 828 580 wmpdlr32.exe 34 PID 580 wrote to memory of 828 580 wmpdlr32.exe 34 PID 828 wrote to memory of 1660 828 wmpdlr32.exe 35 PID 828 wrote to memory of 1660 828 wmpdlr32.exe 35 PID 828 wrote to memory of 1660 828 wmpdlr32.exe 35 PID 828 wrote to memory of 1660 828 wmpdlr32.exe 35 PID 1660 wrote to memory of 2148 1660 wmpdlr32.exe 36 PID 1660 wrote to memory of 2148 1660 wmpdlr32.exe 36 PID 1660 wrote to memory of 2148 1660 wmpdlr32.exe 36 PID 1660 wrote to memory of 2148 1660 wmpdlr32.exe 36 PID 2148 wrote to memory of 2500 2148 wmpdlr32.exe 37 PID 2148 wrote to memory of 2500 2148 wmpdlr32.exe 37 PID 2148 wrote to memory of 2500 2148 wmpdlr32.exe 37 PID 2148 wrote to memory of 2500 2148 wmpdlr32.exe 37 PID 2500 wrote to memory of 2072 2500 wmpdlr32.exe 39 PID 2500 wrote to memory of 2072 2500 wmpdlr32.exe 39 PID 2500 wrote to memory of 2072 2500 wmpdlr32.exe 39 PID 2500 wrote to memory of 2072 2500 wmpdlr32.exe 39 PID 2072 wrote to memory of 1272 2072 wmpdlr32.exe 40 PID 2072 wrote to memory of 1272 2072 wmpdlr32.exe 40 PID 2072 wrote to memory of 1272 2072 wmpdlr32.exe 40 PID 2072 wrote to memory of 1272 2072 wmpdlr32.exe 40 PID 1272 wrote to memory of 1464 1272 wmpdlr32.exe 41 PID 1272 wrote to memory of 1464 1272 wmpdlr32.exe 41 PID 1272 wrote to memory of 1464 1272 wmpdlr32.exe 41 PID 1272 wrote to memory of 1464 1272 wmpdlr32.exe 41 PID 1464 wrote to memory of 2916 1464 wmpdlr32.exe 42 PID 1464 wrote to memory of 2916 1464 wmpdlr32.exe 42 PID 1464 wrote to memory of 2916 1464 wmpdlr32.exe 42 PID 1464 wrote to memory of 2916 1464 wmpdlr32.exe 42 PID 2916 wrote to memory of 1244 2916 wmpdlr32.exe 43 PID 2916 wrote to memory of 1244 2916 wmpdlr32.exe 43 PID 2916 wrote to memory of 1244 2916 wmpdlr32.exe 43 PID 2916 wrote to memory of 1244 2916 wmpdlr32.exe 43 PID 1244 wrote to memory of 2776 1244 wmpdlr32.exe 44 PID 1244 wrote to memory of 2776 1244 wmpdlr32.exe 44 PID 1244 wrote to memory of 2776 1244 wmpdlr32.exe 44 PID 1244 wrote to memory of 2776 1244 wmpdlr32.exe 44 PID 2776 wrote to memory of 2576 2776 wmpdlr32.exe 45 PID 2776 wrote to memory of 2576 2776 wmpdlr32.exe 45 PID 2776 wrote to memory of 2576 2776 wmpdlr32.exe 45 PID 2776 wrote to memory of 2576 2776 wmpdlr32.exe 45 PID 2576 wrote to memory of 2668 2576 wmpdlr32.exe 46 PID 2576 wrote to memory of 2668 2576 wmpdlr32.exe 46 PID 2576 wrote to memory of 2668 2576 wmpdlr32.exe 46 PID 2576 wrote to memory of 2668 2576 wmpdlr32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\Picture51.JPG_www.facebook.exe"C:\Users\Admin\AppData\Local\Temp\Picture51.JPG_www.facebook.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Users\Admin\AppData\Local\Temp\PICTUR~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\wmpdlr32.exe"C:\Windows\system32\wmpdlr32.exe" C:\Windows\SysWOW64\wmpdlr32.exe17⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD59ab9b29ed9665f438fd932b48125c0ce
SHA1b18cc46c6adfa4f31e8757eb3893ec2defa025c0
SHA25670e0d40ed37dc9f6d6034443f384569e277f0aa08355096e203b8c5da61ee36a
SHA5123c4a2b0b41f083f8ad873b0c09e1a358cc9c0d61a74b1816bc774d51c7d79fc81b7e0faa41c84024bb55648ae9f103e2886f4faeacbc1f6a10d3c5ee15abd2d7