Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 23:58
Static task
static1
Behavioral task
behavioral1
Sample
igfxctv32.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
igfxctv32.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
wmpctv32.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
wmpctv32.exe
Resource
win10v2004-20231222-en
General
-
Target
wmpctv32.exe
-
Size
139KB
-
MD5
faab0a19040cdb5368b2237656a5cdde
-
SHA1
7e040852bc17ac3b032d9c9282d3cbd102286d40
-
SHA256
7524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8
-
SHA512
8be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78
-
SSDEEP
3072:F92m5lHWg7MG2KfdzY3cPX321W8DQsalsDVMTJxxaw4vZI6IUw:b7Z7KZ3ccXalamJqG6Id
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 32 IoCs
pid Process 2916 wmpctv32.exe 2268 wmpctv32.exe 2596 wmpctv32.exe 2476 wmpctv32.exe 320 wmpctv32.exe 1208 wmpctv32.exe 1684 wmpctv32.exe 1776 wmpctv32.exe 1244 wmpctv32.exe 1160 wmpctv32.exe 1188 wmpctv32.exe 1416 wmpctv32.exe 828 wmpctv32.exe 2980 wmpctv32.exe 1132 wmpctv32.exe 1880 wmpctv32.exe 2956 wmpctv32.exe 880 wmpctv32.exe 1676 wmpctv32.exe 1200 wmpctv32.exe 2660 wmpctv32.exe 2144 wmpctv32.exe 1600 wmpctv32.exe 2464 wmpctv32.exe 1824 wmpctv32.exe 1640 wmpctv32.exe 1936 wmpctv32.exe 1860 wmpctv32.exe 1848 wmpctv32.exe 1744 wmpctv32.exe 2100 wmpctv32.exe 768 wmpctv32.exe -
Loads dropped DLL 64 IoCs
pid Process 1708 wmpctv32.exe 1708 wmpctv32.exe 2916 wmpctv32.exe 2916 wmpctv32.exe 2268 wmpctv32.exe 2268 wmpctv32.exe 2596 wmpctv32.exe 2596 wmpctv32.exe 2476 wmpctv32.exe 2476 wmpctv32.exe 320 wmpctv32.exe 320 wmpctv32.exe 1208 wmpctv32.exe 1208 wmpctv32.exe 1684 wmpctv32.exe 1684 wmpctv32.exe 1776 wmpctv32.exe 1776 wmpctv32.exe 1244 wmpctv32.exe 1244 wmpctv32.exe 1160 wmpctv32.exe 1160 wmpctv32.exe 1188 wmpctv32.exe 1188 wmpctv32.exe 1416 wmpctv32.exe 1416 wmpctv32.exe 828 wmpctv32.exe 828 wmpctv32.exe 2980 wmpctv32.exe 2980 wmpctv32.exe 1132 wmpctv32.exe 1132 wmpctv32.exe 1880 wmpctv32.exe 1880 wmpctv32.exe 2956 wmpctv32.exe 2956 wmpctv32.exe 880 wmpctv32.exe 880 wmpctv32.exe 1676 wmpctv32.exe 1676 wmpctv32.exe 1200 wmpctv32.exe 1200 wmpctv32.exe 2660 wmpctv32.exe 2660 wmpctv32.exe 2144 wmpctv32.exe 2144 wmpctv32.exe 1600 wmpctv32.exe 1600 wmpctv32.exe 2464 wmpctv32.exe 2464 wmpctv32.exe 1824 wmpctv32.exe 1824 wmpctv32.exe 1640 wmpctv32.exe 1640 wmpctv32.exe 1936 wmpctv32.exe 1936 wmpctv32.exe 1860 wmpctv32.exe 1860 wmpctv32.exe 1848 wmpctv32.exe 1848 wmpctv32.exe 1744 wmpctv32.exe 1744 wmpctv32.exe 2100 wmpctv32.exe 2100 wmpctv32.exe -
resource yara_rule behavioral3/memory/1708-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1708-6-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1708-8-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1708-7-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1708-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1708-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1708-32-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2268-40-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2476-49-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2476-50-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2476-51-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2476-58-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1208-66-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1208-85-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1776-103-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1160-110-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1416-138-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2980-160-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1880-155-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1880-173-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/880-195-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1200-207-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2144-221-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/2464-229-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1640-245-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1860-253-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/1744-266-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral3/memory/768-270-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe -
Drops file in System32 directory 49 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 2328 set thread context of 1708 2328 wmpctv32.exe 28 PID 2916 set thread context of 2268 2916 wmpctv32.exe 30 PID 2596 set thread context of 2476 2596 wmpctv32.exe 32 PID 320 set thread context of 1208 320 wmpctv32.exe 34 PID 1684 set thread context of 1776 1684 wmpctv32.exe 36 PID 1244 set thread context of 1160 1244 wmpctv32.exe 38 PID 1188 set thread context of 1416 1188 wmpctv32.exe 42 PID 828 set thread context of 2980 828 wmpctv32.exe 44 PID 1132 set thread context of 1880 1132 wmpctv32.exe 46 PID 2956 set thread context of 880 2956 wmpctv32.exe 48 PID 1676 set thread context of 1200 1676 wmpctv32.exe 50 PID 2660 set thread context of 2144 2660 wmpctv32.exe 52 PID 1600 set thread context of 2464 1600 wmpctv32.exe 54 PID 1824 set thread context of 1640 1824 wmpctv32.exe 56 PID 1936 set thread context of 1860 1936 wmpctv32.exe 58 PID 1848 set thread context of 1744 1848 wmpctv32.exe 60 PID 2100 set thread context of 768 2100 wmpctv32.exe 62 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1708 wmpctv32.exe 1708 wmpctv32.exe 2268 wmpctv32.exe 2268 wmpctv32.exe 2476 wmpctv32.exe 2476 wmpctv32.exe 1208 wmpctv32.exe 1208 wmpctv32.exe 1776 wmpctv32.exe 1776 wmpctv32.exe 1160 wmpctv32.exe 1160 wmpctv32.exe 1416 wmpctv32.exe 1416 wmpctv32.exe 2980 wmpctv32.exe 2980 wmpctv32.exe 1880 wmpctv32.exe 1880 wmpctv32.exe 880 wmpctv32.exe 880 wmpctv32.exe 1200 wmpctv32.exe 1200 wmpctv32.exe 2144 wmpctv32.exe 2144 wmpctv32.exe 2464 wmpctv32.exe 2464 wmpctv32.exe 1640 wmpctv32.exe 1640 wmpctv32.exe 1860 wmpctv32.exe 1860 wmpctv32.exe 1744 wmpctv32.exe 1744 wmpctv32.exe 768 wmpctv32.exe 768 wmpctv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 2328 wrote to memory of 1708 2328 wmpctv32.exe 28 PID 1708 wrote to memory of 2916 1708 wmpctv32.exe 29 PID 1708 wrote to memory of 2916 1708 wmpctv32.exe 29 PID 1708 wrote to memory of 2916 1708 wmpctv32.exe 29 PID 1708 wrote to memory of 2916 1708 wmpctv32.exe 29 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2916 wrote to memory of 2268 2916 wmpctv32.exe 30 PID 2268 wrote to memory of 2596 2268 wmpctv32.exe 31 PID 2268 wrote to memory of 2596 2268 wmpctv32.exe 31 PID 2268 wrote to memory of 2596 2268 wmpctv32.exe 31 PID 2268 wrote to memory of 2596 2268 wmpctv32.exe 31 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2596 wrote to memory of 2476 2596 wmpctv32.exe 32 PID 2476 wrote to memory of 320 2476 wmpctv32.exe 33 PID 2476 wrote to memory of 320 2476 wmpctv32.exe 33 PID 2476 wrote to memory of 320 2476 wmpctv32.exe 33 PID 2476 wrote to memory of 320 2476 wmpctv32.exe 33 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 320 wrote to memory of 1208 320 wmpctv32.exe 34 PID 1208 wrote to memory of 1684 1208 wmpctv32.exe 35 PID 1208 wrote to memory of 1684 1208 wmpctv32.exe 35 PID 1208 wrote to memory of 1684 1208 wmpctv32.exe 35 PID 1208 wrote to memory of 1684 1208 wmpctv32.exe 35 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1684 wrote to memory of 1776 1684 wmpctv32.exe 36 PID 1776 wrote to memory of 1244 1776 wmpctv32.exe 37 PID 1776 wrote to memory of 1244 1776 wmpctv32.exe 37 PID 1776 wrote to memory of 1244 1776 wmpctv32.exe 37 PID 1776 wrote to memory of 1244 1776 wmpctv32.exe 37 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1244 wrote to memory of 1160 1244 wmpctv32.exe 38 PID 1160 wrote to memory of 1188 1160 wmpctv32.exe 41 PID 1160 wrote to memory of 1188 1160 wmpctv32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1188 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1416 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:828 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1132 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1880 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2956 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1676 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2660 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1600 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2464 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1824 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1936 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1848 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1744 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2100 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5faab0a19040cdb5368b2237656a5cdde
SHA17e040852bc17ac3b032d9c9282d3cbd102286d40
SHA2567524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8
SHA5128be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78
-
Filesize
127KB
MD5695c1941a28859391cbe463b024e42fa
SHA1eff59a324b594db1006616f120948e79d2357e91
SHA256e6080cc5f67ba14a444549bbca2fa00371902ca18182c18949ccc5ec9b1a309b
SHA512a3d34707ef0de706ea42662e0f5c36c7c8c2ee9d9f2392ca671708f2becceca83afa7eb75d020aa7e64940da708173a988caa00ae1ffa52a075811bee5c02ec5
-
Filesize
126KB
MD56c622b42b8ac7d53144a8ca3c81129d0
SHA1c8f1d791b78b9124fab395e36c86bd147391f104
SHA25680b8a51f09104da8742c9d99ddb673e649306728e8c0def440d819b547497ec6
SHA512d99d3ea612f91d1166668ebdbbbe9d0bef8fc9dfb69804318cd3bd37c5887923e493e7f9330eeb87da5ea123f1366db00db945343a7fc9c88c13eea63164498e
-
Filesize
122KB
MD56087ff2494d84cb298667daf5f9b0cec
SHA1717dabdb1c0e0476bda46d8dcdfca7e127e4bdc1
SHA2563dc03e033600d76b3eed56a53a22e0b0de7465c12168ef10ddeadc247cdb47e5
SHA512acc80e39e9fb19fd321ea1e97d35b1c46fc1cbaf07108906539f8dadc6c3629a76e3c23b34c10db8d4ac1cf02cc661d441f675c7ec1b6cefc9005e4fa84b3593