Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe
-
Size
202KB
-
MD5
f31bfa9138af5f385b7056230e482478
-
SHA1
10cffd0b5bc8db53881f2dc1d5980cb82914a9be
-
SHA256
dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3
-
SHA512
98e7594e263231977939a99af7d72118bef5fee9f61517430835d793137fe48d6b4755a09222681fd7af5e780b82b2bd1726f6e0b4ca16162ca517e058538db4
-
SSDEEP
3072:5DnsNLa+VJiA5NNXIQRhYWl9UQ0eu4CkC0eB0Xr7Iv9woAcDFjR/D5vQO:KaO9YI9t0Ete0IVwJcDFjx
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 3064 wmpdtv32.exe -
Executes dropped EXE 32 IoCs
pid Process 2888 wmpdtv32.exe 3064 wmpdtv32.exe 1732 wmpdtv32.exe 2276 wmpdtv32.exe 1520 wmpdtv32.exe 2340 wmpdtv32.exe 2612 wmpdtv32.exe 1724 wmpdtv32.exe 300 wmpdtv32.exe 2228 wmpdtv32.exe 1224 wmpdtv32.exe 2360 wmpdtv32.exe 2016 wmpdtv32.exe 1632 wmpdtv32.exe 1332 wmpdtv32.exe 2304 wmpdtv32.exe 344 wmpdtv32.exe 2972 wmpdtv32.exe 2380 wmpdtv32.exe 2168 wmpdtv32.exe 2932 wmpdtv32.exe 2804 wmpdtv32.exe 1736 wmpdtv32.exe 1344 wmpdtv32.exe 1520 wmpdtv32.exe 1964 wmpdtv32.exe 2264 wmpdtv32.exe 2268 wmpdtv32.exe 1388 wmpdtv32.exe 1780 wmpdtv32.exe 2144 wmpdtv32.exe 908 wmpdtv32.exe -
Loads dropped DLL 32 IoCs
pid Process 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 2888 wmpdtv32.exe 3064 wmpdtv32.exe 1732 wmpdtv32.exe 2276 wmpdtv32.exe 1520 wmpdtv32.exe 2340 wmpdtv32.exe 2612 wmpdtv32.exe 1724 wmpdtv32.exe 300 wmpdtv32.exe 2228 wmpdtv32.exe 1224 wmpdtv32.exe 2360 wmpdtv32.exe 2016 wmpdtv32.exe 1632 wmpdtv32.exe 1332 wmpdtv32.exe 2304 wmpdtv32.exe 344 wmpdtv32.exe 2972 wmpdtv32.exe 2380 wmpdtv32.exe 2168 wmpdtv32.exe 2932 wmpdtv32.exe 2804 wmpdtv32.exe 1736 wmpdtv32.exe 1344 wmpdtv32.exe 1520 wmpdtv32.exe 1964 wmpdtv32.exe 2264 wmpdtv32.exe 2268 wmpdtv32.exe 1388 wmpdtv32.exe 1780 wmpdtv32.exe 2144 wmpdtv32.exe -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpdtv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpdtv32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\ wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File opened for modification C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe File created C:\Windows\SysWOW64\wmpdtv32.exe wmpdtv32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2296 set thread context of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2888 set thread context of 3064 2888 wmpdtv32.exe 32 PID 1732 set thread context of 2276 1732 wmpdtv32.exe 34 PID 1520 set thread context of 2340 1520 wmpdtv32.exe 36 PID 2612 set thread context of 1724 2612 wmpdtv32.exe 38 PID 300 set thread context of 2228 300 wmpdtv32.exe 40 PID 1224 set thread context of 2360 1224 wmpdtv32.exe 42 PID 2016 set thread context of 1632 2016 wmpdtv32.exe 44 PID 1332 set thread context of 2304 1332 wmpdtv32.exe 46 PID 344 set thread context of 2972 344 wmpdtv32.exe 48 PID 2380 set thread context of 2168 2380 wmpdtv32.exe 50 PID 2932 set thread context of 2804 2932 wmpdtv32.exe 52 PID 1736 set thread context of 1344 1736 wmpdtv32.exe 54 PID 1520 set thread context of 1964 1520 wmpdtv32.exe 56 PID 2264 set thread context of 2268 2264 wmpdtv32.exe 58 PID 1388 set thread context of 1780 1388 wmpdtv32.exe 60 PID 2144 set thread context of 908 2144 wmpdtv32.exe 62 -
resource yara_rule behavioral1/memory/2628-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-8-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-9-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-7-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-6-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2628-19-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3064-30-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3064-32-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3064-31-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3064-29-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3064-36-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3064-37-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2276-50-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2276-49-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2276-48-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2276-53-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2340-64-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2340-66-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2340-65-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2340-71-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1724-81-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1724-82-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1724-83-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1724-88-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2228-100-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2228-105-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2360-117-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2360-122-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1632-134-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1632-139-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2304-151-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2304-156-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2972-168-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2972-173-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2168-185-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2168-190-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2804-202-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2804-207-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1344-219-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1344-224-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1964-235-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1964-239-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2268-249-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2268-252-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1780-262-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1780-265-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/908-275-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpdtv32.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 3064 wmpdtv32.exe 3064 wmpdtv32.exe 2276 wmpdtv32.exe 2276 wmpdtv32.exe 2340 wmpdtv32.exe 2340 wmpdtv32.exe 1724 wmpdtv32.exe 1724 wmpdtv32.exe 2228 wmpdtv32.exe 2228 wmpdtv32.exe 2360 wmpdtv32.exe 2360 wmpdtv32.exe 1632 wmpdtv32.exe 1632 wmpdtv32.exe 2304 wmpdtv32.exe 2304 wmpdtv32.exe 2972 wmpdtv32.exe 2972 wmpdtv32.exe 2168 wmpdtv32.exe 2168 wmpdtv32.exe 2804 wmpdtv32.exe 2804 wmpdtv32.exe 1344 wmpdtv32.exe 1344 wmpdtv32.exe 1964 wmpdtv32.exe 1964 wmpdtv32.exe 2268 wmpdtv32.exe 2268 wmpdtv32.exe 1780 wmpdtv32.exe 1780 wmpdtv32.exe 908 wmpdtv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2296 wrote to memory of 2628 2296 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 30 PID 2628 wrote to memory of 2888 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 31 PID 2628 wrote to memory of 2888 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 31 PID 2628 wrote to memory of 2888 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 31 PID 2628 wrote to memory of 2888 2628 dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe 31 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 2888 wrote to memory of 3064 2888 wmpdtv32.exe 32 PID 3064 wrote to memory of 1732 3064 wmpdtv32.exe 33 PID 3064 wrote to memory of 1732 3064 wmpdtv32.exe 33 PID 3064 wrote to memory of 1732 3064 wmpdtv32.exe 33 PID 3064 wrote to memory of 1732 3064 wmpdtv32.exe 33 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 1732 wrote to memory of 2276 1732 wmpdtv32.exe 34 PID 2276 wrote to memory of 1520 2276 wmpdtv32.exe 35 PID 2276 wrote to memory of 1520 2276 wmpdtv32.exe 35 PID 2276 wrote to memory of 1520 2276 wmpdtv32.exe 35 PID 2276 wrote to memory of 1520 2276 wmpdtv32.exe 35 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 1520 wrote to memory of 2340 1520 wmpdtv32.exe 36 PID 2340 wrote to memory of 2612 2340 wmpdtv32.exe 37 PID 2340 wrote to memory of 2612 2340 wmpdtv32.exe 37 PID 2340 wrote to memory of 2612 2340 wmpdtv32.exe 37 PID 2340 wrote to memory of 2612 2340 wmpdtv32.exe 37 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 2612 wrote to memory of 1724 2612 wmpdtv32.exe 38 PID 1724 wrote to memory of 300 1724 wmpdtv32.exe 39 PID 1724 wrote to memory of 300 1724 wmpdtv32.exe 39 PID 1724 wrote to memory of 300 1724 wmpdtv32.exe 39 PID 1724 wrote to memory of 300 1724 wmpdtv32.exe 39 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 300 wrote to memory of 2228 300 wmpdtv32.exe 40 PID 2228 wrote to memory of 1224 2228 wmpdtv32.exe 41 PID 2228 wrote to memory of 1224 2228 wmpdtv32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe"C:\Users\Admin\AppData\Local\Temp\dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe"C:\Users\Admin\AppData\Local\Temp\dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Users\Admin\AppData\Local\Temp\DC8B0E~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Users\Admin\AppData\Local\Temp\DC8B0E~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1632 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1964 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\wmpdtv32.exe"C:\Windows\system32\wmpdtv32.exe" C:\Windows\SysWOW64\wmpdtv32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5f31bfa9138af5f385b7056230e482478
SHA110cffd0b5bc8db53881f2dc1d5980cb82914a9be
SHA256dc8b0e20cf211c63830a323982bf9ec65584c875fd3817451e4f94e164e9bdd3
SHA51298e7594e263231977939a99af7d72118bef5fee9f61517430835d793137fe48d6b4755a09222681fd7af5e780b82b2bd1726f6e0b4ca16162ca517e058538db4