Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 23:58
Static task
static1
Behavioral task
behavioral1
Sample
igfxctv32.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
igfxctv32.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
wmpctv32.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
wmpctv32.exe
Resource
win10v2004-20231222-en
General
-
Target
wmpctv32.exe
-
Size
139KB
-
MD5
faab0a19040cdb5368b2237656a5cdde
-
SHA1
7e040852bc17ac3b032d9c9282d3cbd102286d40
-
SHA256
7524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8
-
SHA512
8be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78
-
SSDEEP
3072:F92m5lHWg7MG2KfdzY3cPX321W8DQsalsDVMTJxxaw4vZI6IUw:b7Z7KZ3ccXalamJqG6Id
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wmpctv32.exe -
Executes dropped EXE 32 IoCs
pid Process 1700 wmpctv32.exe 1476 wmpctv32.exe 1436 wmpctv32.exe 4924 wmpctv32.exe 2512 wmpctv32.exe 3548 wmpctv32.exe 1948 wmpctv32.exe 4760 wmpctv32.exe 4220 wmpctv32.exe 1156 wmpctv32.exe 848 wmpctv32.exe 1700 wmpctv32.exe 2604 wmpctv32.exe 4912 wmpctv32.exe 4028 wmpctv32.exe 2548 wmpctv32.exe 5000 wmpctv32.exe 1212 wmpctv32.exe 4164 wmpctv32.exe 1304 wmpctv32.exe 1856 wmpctv32.exe 1624 wmpctv32.exe 1404 wmpctv32.exe 4252 wmpctv32.exe 980 wmpctv32.exe 2428 wmpctv32.exe 1936 wmpctv32.exe 4920 wmpctv32.exe 1264 wmpctv32.exe 1852 wmpctv32.exe 1996 wmpctv32.exe 3660 wmpctv32.exe -
resource yara_rule behavioral4/memory/736-0-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/736-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/736-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/736-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/736-41-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4924-51-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1476-52-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/3548-59-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4924-61-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4760-70-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/3548-71-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1156-79-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4760-80-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1700-88-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1156-89-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1700-92-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4912-99-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/2548-105-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4912-107-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1212-115-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/2548-116-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1304-124-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1212-125-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1624-133-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1304-137-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4252-143-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1624-147-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/2428-155-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4252-158-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4920-165-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/2428-168-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1852-176-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1852-174-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/4920-179-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/3660-186-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral4/memory/1852-189-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 34 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpctv32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File created C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\wmpctv32.exe wmpctv32.exe File opened for modification C:\Windows\SysWOW64\ wmpctv32.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 1896 set thread context of 736 1896 wmpctv32.exe 87 PID 1700 set thread context of 1476 1700 wmpctv32.exe 101 PID 1436 set thread context of 4924 1436 wmpctv32.exe 103 PID 2512 set thread context of 3548 2512 wmpctv32.exe 105 PID 1948 set thread context of 4760 1948 wmpctv32.exe 109 PID 4220 set thread context of 1156 4220 wmpctv32.exe 111 PID 848 set thread context of 1700 848 wmpctv32.exe 113 PID 2604 set thread context of 4912 2604 wmpctv32.exe 115 PID 4028 set thread context of 2548 4028 wmpctv32.exe 118 PID 5000 set thread context of 1212 5000 wmpctv32.exe 120 PID 4164 set thread context of 1304 4164 wmpctv32.exe 122 PID 1856 set thread context of 1624 1856 wmpctv32.exe 128 PID 1404 set thread context of 4252 1404 wmpctv32.exe 133 PID 980 set thread context of 2428 980 wmpctv32.exe 135 PID 1936 set thread context of 4920 1936 wmpctv32.exe 137 PID 1264 set thread context of 1852 1264 wmpctv32.exe 139 PID 1996 set thread context of 3660 1996 wmpctv32.exe 144 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpctv32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 736 wmpctv32.exe 736 wmpctv32.exe 736 wmpctv32.exe 736 wmpctv32.exe 1476 wmpctv32.exe 1476 wmpctv32.exe 1476 wmpctv32.exe 1476 wmpctv32.exe 4924 wmpctv32.exe 4924 wmpctv32.exe 4924 wmpctv32.exe 4924 wmpctv32.exe 3548 wmpctv32.exe 3548 wmpctv32.exe 3548 wmpctv32.exe 3548 wmpctv32.exe 4760 wmpctv32.exe 4760 wmpctv32.exe 4760 wmpctv32.exe 4760 wmpctv32.exe 1156 wmpctv32.exe 1156 wmpctv32.exe 1156 wmpctv32.exe 1156 wmpctv32.exe 1700 wmpctv32.exe 1700 wmpctv32.exe 1700 wmpctv32.exe 1700 wmpctv32.exe 4912 wmpctv32.exe 4912 wmpctv32.exe 4912 wmpctv32.exe 4912 wmpctv32.exe 2548 wmpctv32.exe 2548 wmpctv32.exe 2548 wmpctv32.exe 2548 wmpctv32.exe 1212 wmpctv32.exe 1212 wmpctv32.exe 1212 wmpctv32.exe 1212 wmpctv32.exe 1304 wmpctv32.exe 1304 wmpctv32.exe 1304 wmpctv32.exe 1304 wmpctv32.exe 1624 wmpctv32.exe 1624 wmpctv32.exe 1624 wmpctv32.exe 1624 wmpctv32.exe 4252 wmpctv32.exe 4252 wmpctv32.exe 4252 wmpctv32.exe 4252 wmpctv32.exe 2428 wmpctv32.exe 2428 wmpctv32.exe 2428 wmpctv32.exe 2428 wmpctv32.exe 4920 wmpctv32.exe 4920 wmpctv32.exe 4920 wmpctv32.exe 4920 wmpctv32.exe 1852 wmpctv32.exe 1852 wmpctv32.exe 1852 wmpctv32.exe 1852 wmpctv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 1896 wrote to memory of 736 1896 wmpctv32.exe 87 PID 736 wrote to memory of 1700 736 wmpctv32.exe 98 PID 736 wrote to memory of 1700 736 wmpctv32.exe 98 PID 736 wrote to memory of 1700 736 wmpctv32.exe 98 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1700 wrote to memory of 1476 1700 wmpctv32.exe 101 PID 1476 wrote to memory of 1436 1476 wmpctv32.exe 102 PID 1476 wrote to memory of 1436 1476 wmpctv32.exe 102 PID 1476 wrote to memory of 1436 1476 wmpctv32.exe 102 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 1436 wrote to memory of 4924 1436 wmpctv32.exe 103 PID 4924 wrote to memory of 2512 4924 wmpctv32.exe 104 PID 4924 wrote to memory of 2512 4924 wmpctv32.exe 104 PID 4924 wrote to memory of 2512 4924 wmpctv32.exe 104 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 2512 wrote to memory of 3548 2512 wmpctv32.exe 105 PID 3548 wrote to memory of 1948 3548 wmpctv32.exe 108 PID 3548 wrote to memory of 1948 3548 wmpctv32.exe 108 PID 3548 wrote to memory of 1948 3548 wmpctv32.exe 108 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 1948 wrote to memory of 4760 1948 wmpctv32.exe 109 PID 4760 wrote to memory of 4220 4760 wmpctv32.exe 110 PID 4760 wrote to memory of 4220 4760 wmpctv32.exe 110 PID 4760 wrote to memory of 4220 4760 wmpctv32.exe 110 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 4220 wrote to memory of 1156 4220 wmpctv32.exe 111 PID 1156 wrote to memory of 848 1156 wmpctv32.exe 112 PID 1156 wrote to memory of 848 1156 wmpctv32.exe 112 PID 1156 wrote to memory of 848 1156 wmpctv32.exe 112 PID 848 wrote to memory of 1700 848 wmpctv32.exe 113 PID 848 wrote to memory of 1700 848 wmpctv32.exe 113 PID 848 wrote to memory of 1700 848 wmpctv32.exe 113 PID 848 wrote to memory of 1700 848 wmpctv32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1700 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2604 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4028 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5000 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1212 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4164 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1856 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4252 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:980 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1936 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1264 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1852 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1996 -
C:\Windows\SysWOW64\wmpctv32.exe"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:3660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5faab0a19040cdb5368b2237656a5cdde
SHA17e040852bc17ac3b032d9c9282d3cbd102286d40
SHA2567524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8
SHA5128be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78