Malware Analysis Report

2025-08-06 04:05

Sample ID 240121-31csbacbcj
Target 6e2d8686cfea2d3179f01002b5728f5d
SHA256 85580bf956411dd11ed45e6e3217e8b17ff7ac4fd3b3fdc120388a4eabef0ba0
Tags
metasploit backdoor trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85580bf956411dd11ed45e6e3217e8b17ff7ac4fd3b3fdc120388a4eabef0ba0

Threat Level: Known bad

The file 6e2d8686cfea2d3179f01002b5728f5d was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan upx

MetaSploit

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 23:58

Reported

2024-01-22 00:01

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2284 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2720 set thread context of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 set thread context of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 set thread context of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 set thread context of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 set thread context of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2088 set thread context of 1036 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1724 set thread context of 1764 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2052 set thread context of 760 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1736 set thread context of 1704 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2848 set thread context of 2724 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2596 set thread context of 2616 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2876 set thread context of 2884 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1680 set thread context of 552 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 2284 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2696 wrote to memory of 2392 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2696 wrote to memory of 2392 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2696 wrote to memory of 2392 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2696 wrote to memory of 2392 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2516 wrote to memory of 1052 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2516 wrote to memory of 1052 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2516 wrote to memory of 1052 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2516 wrote to memory of 1052 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1052 wrote to memory of 2468 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2468 wrote to memory of 588 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2468 wrote to memory of 588 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2468 wrote to memory of 588 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2468 wrote to memory of 588 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 588 wrote to memory of 2740 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2040 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2072 wrote to memory of 2088 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2072 wrote to memory of 2088 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe

"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"

C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe

"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

Network

N/A

Files

memory/3068-0-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3068-2-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3068-3-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3068-4-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3068-7-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3068-8-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3068-6-0x0000000000400000-0x000000000045A000-memory.dmp

\Windows\SysWOW64\igfxctv32.exe

MD5 b5202ea069462c2e8b64ff72100faa28
SHA1 7ffd5668f76d34515eb979bc38dde3b4daf84f74
SHA256 d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4
SHA512 02a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1

memory/3068-24-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-31-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-33-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-32-0x0000000000400000-0x000000000045A000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2696-38-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2516-59-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2468-72-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2740-91-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2072-120-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1036-138-0x0000000000400000-0x000000000045A000-memory.dmp

\Windows\SysWOW64\igfxctv32.exe

MD5 0bd7111935b72b16d91b78f6f34b7bbc
SHA1 cad6d64970fca1abdf1c9f449a66fc12c04d5615
SHA256 954915b0a36d0c6609a0e4c4a29a2b54e0f4052514ca754cfcf9d12e1d3b6fcf
SHA512 fb685ba7c3f23d13e31716a481a7e6568116e1e0edf7aad63c97053e7fdb5a9a8beafe0977d66988ec1746cd5c40d8cf997a528a5a22b6c8ea06978c760bf977

\Windows\SysWOW64\igfxctv32.exe

MD5 b47e1ac6a488aa96889a0efd4df24832
SHA1 fb9b5f6c2655487359337128eeb09cc0a76a5324
SHA256 7eb9118510bdd904fdddb784577eb76c688ced943328b2706d438c91b0a58826
SHA512 c4399906647d459a034e8a476b9233f7deb93c3165097b754b9e58bb83f5814aa3948786e0409f0d9d324727b06c95566587576dbab68e13d865c59b33f7d6aa

\Windows\SysWOW64\igfxctv32.exe

MD5 b9b900d9241ae57f65809474f1809245
SHA1 73c170773f31ee9f5210322448fec4ede2043db5
SHA256 65ee5bb848d4e2f48b32a44bf7b1df75586decd4e1c79bedef059eddb12c78c5
SHA512 a2537cc2c69f0b5db21d97cebc0f4e8c91e338dcdcc04f34b4a06b99a16f896aa073ecb95e26b0909a5a0a75ba200c48c872d598d2fe66ed9796cf2f8f235747

memory/760-158-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1764-157-0x0000000000400000-0x000000000045A000-memory.dmp

memory/760-172-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1704-188-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2724-203-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2616-218-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2884-220-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2884-232-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 23:58

Reported

2024-01-22 00:01

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxctv32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxctv32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxctv32.exe N/A
File created C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3480 set thread context of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 1160 set thread context of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 set thread context of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 set thread context of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 set thread context of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 set thread context of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1420 set thread context of 856 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 5060 set thread context of 872 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4448 set thread context of 4952 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 5000 set thread context of 1844 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1880 set thread context of 1420 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1920 set thread context of 4380 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2324 set thread context of 920 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2404 set thread context of 1324 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1456 set thread context of 1960 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxctv32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxctv32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 3480 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe
PID 4700 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4700 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4700 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1160 wrote to memory of 900 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 900 wrote to memory of 4508 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 900 wrote to memory of 4508 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 900 wrote to memory of 4508 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4508 wrote to memory of 2500 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2500 wrote to memory of 3168 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2500 wrote to memory of 3168 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 2500 wrote to memory of 3168 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3168 wrote to memory of 3180 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3180 wrote to memory of 4136 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3180 wrote to memory of 4136 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3180 wrote to memory of 4136 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 4136 wrote to memory of 3480 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3480 wrote to memory of 3868 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3480 wrote to memory of 3868 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3480 wrote to memory of 3868 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 3868 wrote to memory of 720 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 720 wrote to memory of 1420 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 720 wrote to memory of 1420 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 720 wrote to memory of 1420 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1420 wrote to memory of 856 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1420 wrote to memory of 856 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1420 wrote to memory of 856 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe
PID 1420 wrote to memory of 856 N/A C:\Windows\SysWOW64\igfxctv32.exe C:\Windows\SysWOW64\igfxctv32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe

"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"

C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe

"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

C:\Windows\SysWOW64\igfxctv32.exe

"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4700-0-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4700-4-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4700-3-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4700-2-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Windows\SysWOW64\igfxctv32.exe

MD5 b5202ea069462c2e8b64ff72100faa28
SHA1 7ffd5668f76d34515eb979bc38dde3b4daf84f74
SHA256 d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4
SHA512 02a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1

memory/900-43-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4700-44-0x0000000000400000-0x000000000045A000-memory.dmp

memory/900-51-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2500-52-0x0000000000400000-0x000000000045A000-memory.dmp

memory/900-54-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2500-59-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2500-64-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3180-62-0x0000000000400000-0x000000000045A000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3180-70-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3480-73-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3180-75-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3480-81-0x0000000000400000-0x000000000045A000-memory.dmp

memory/720-83-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3480-85-0x0000000000400000-0x000000000045A000-memory.dmp

memory/720-90-0x0000000000400000-0x000000000045A000-memory.dmp

memory/720-92-0x0000000000400000-0x000000000045A000-memory.dmp

memory/856-99-0x0000000000400000-0x000000000045A000-memory.dmp

memory/872-102-0x0000000000400000-0x000000000045A000-memory.dmp

memory/856-104-0x0000000000400000-0x000000000045A000-memory.dmp

memory/872-110-0x0000000000400000-0x000000000045A000-memory.dmp

memory/872-114-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4952-112-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4952-120-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1844-122-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1844-124-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4952-127-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1420-134-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1844-138-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4380-146-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1420-149-0x0000000000400000-0x000000000045A000-memory.dmp

memory/920-157-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4380-160-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1324-169-0x0000000000400000-0x000000000045A000-memory.dmp

memory/920-172-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1960-179-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1324-183-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-21 23:58

Reported

2024-01-22 00:01

Platform

win7-20231129-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2328 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2916 set thread context of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 set thread context of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 set thread context of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 set thread context of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 set thread context of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1188 set thread context of 1416 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 828 set thread context of 2980 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1132 set thread context of 1880 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2956 set thread context of 880 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1676 set thread context of 1200 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2660 set thread context of 2144 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1600 set thread context of 2464 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1824 set thread context of 1640 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1936 set thread context of 1860 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1848 set thread context of 1744 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2100 set thread context of 768 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 2328 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1708 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1708 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1708 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1708 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2916 wrote to memory of 2268 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2268 wrote to memory of 2596 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2268 wrote to memory of 2596 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2268 wrote to memory of 2596 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2268 wrote to memory of 2596 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2596 wrote to memory of 2476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2476 wrote to memory of 320 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2476 wrote to memory of 320 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2476 wrote to memory of 320 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2476 wrote to memory of 320 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 320 wrote to memory of 1208 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1208 wrote to memory of 1684 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1208 wrote to memory of 1684 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1208 wrote to memory of 1684 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1208 wrote to memory of 1684 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1684 wrote to memory of 1776 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1776 wrote to memory of 1244 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1776 wrote to memory of 1244 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1776 wrote to memory of 1244 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1776 wrote to memory of 1244 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1244 wrote to memory of 1160 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1160 wrote to memory of 1188 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1160 wrote to memory of 1188 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"

C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

Network

N/A

Files

memory/1708-4-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1708-6-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1708-8-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1708-7-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1708-3-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1708-2-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1708-0-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Windows\SysWOW64\wmpctv32.exe

MD5 faab0a19040cdb5368b2237656a5cdde
SHA1 7e040852bc17ac3b032d9c9282d3cbd102286d40
SHA256 7524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8
SHA512 8be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78

memory/1708-32-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2268-40-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2476-49-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2476-50-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2476-51-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2476-58-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1208-66-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1208-85-0x0000000000400000-0x000000000045A000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1776-103-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1160-110-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1416-138-0x0000000000400000-0x000000000045A000-memory.dmp

\Windows\SysWOW64\wmpctv32.exe

MD5 6c622b42b8ac7d53144a8ca3c81129d0
SHA1 c8f1d791b78b9124fab395e36c86bd147391f104
SHA256 80b8a51f09104da8742c9d99ddb673e649306728e8c0def440d819b547497ec6
SHA512 d99d3ea612f91d1166668ebdbbbe9d0bef8fc9dfb69804318cd3bd37c5887923e493e7f9330eeb87da5ea123f1366db00db945343a7fc9c88c13eea63164498e

\Windows\SysWOW64\wmpctv32.exe

MD5 6087ff2494d84cb298667daf5f9b0cec
SHA1 717dabdb1c0e0476bda46d8dcdfca7e127e4bdc1
SHA256 3dc03e033600d76b3eed56a53a22e0b0de7465c12168ef10ddeadc247cdb47e5
SHA512 acc80e39e9fb19fd321ea1e97d35b1c46fc1cbaf07108906539f8dadc6c3629a76e3c23b34c10db8d4ac1cf02cc661d441f675c7ec1b6cefc9005e4fa84b3593

C:\Windows\SysWOW64\wmpctv32.exe

MD5 695c1941a28859391cbe463b024e42fa
SHA1 eff59a324b594db1006616f120948e79d2357e91
SHA256 e6080cc5f67ba14a444549bbca2fa00371902ca18182c18949ccc5ec9b1a309b
SHA512 a3d34707ef0de706ea42662e0f5c36c7c8c2ee9d9f2392ca671708f2becceca83afa7eb75d020aa7e64940da708173a988caa00ae1ffa52a075811bee5c02ec5

memory/2980-160-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1880-155-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1880-173-0x0000000000400000-0x000000000045A000-memory.dmp

memory/880-195-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1200-207-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2144-221-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2464-229-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1640-245-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1860-253-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1744-266-0x0000000000400000-0x000000000045A000-memory.dmp

memory/768-270-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-21 23:58

Reported

2024-01-22 00:01

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpctv32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpctv32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpctv32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File created C:\Windows\SysWOW64\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpctv32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1896 set thread context of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1700 set thread context of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 set thread context of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 set thread context of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 set thread context of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 set thread context of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 848 set thread context of 1700 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2604 set thread context of 4912 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4028 set thread context of 2548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 5000 set thread context of 1212 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4164 set thread context of 1304 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1856 set thread context of 1624 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1404 set thread context of 4252 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 980 set thread context of 2428 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1936 set thread context of 4920 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1264 set thread context of 1852 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1996 set thread context of 3660 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpctv32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpctv32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 1896 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe
PID 736 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 736 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 736 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1700 wrote to memory of 1476 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1476 wrote to memory of 1436 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1476 wrote to memory of 1436 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1476 wrote to memory of 1436 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1436 wrote to memory of 4924 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 2512 wrote to memory of 3548 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 3548 wrote to memory of 1948 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 3548 wrote to memory of 1948 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 3548 wrote to memory of 1948 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4760 wrote to memory of 4220 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4760 wrote to memory of 4220 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4760 wrote to memory of 4220 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 4220 wrote to memory of 1156 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1156 wrote to memory of 848 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1156 wrote to memory of 848 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 1156 wrote to memory of 848 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 848 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 848 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 848 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe
PID 848 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wmpctv32.exe C:\Windows\SysWOW64\wmpctv32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"

C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

"C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe"

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Users\Admin\AppData\Local\Temp\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

C:\Windows\SysWOW64\wmpctv32.exe

"C:\Windows\system32\wmpctv32.exe" C:\Windows\SysWOW64\wmpctv32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/736-0-0x0000000000400000-0x000000000045A000-memory.dmp

memory/736-2-0x0000000000400000-0x000000000045A000-memory.dmp

memory/736-4-0x0000000000400000-0x000000000045A000-memory.dmp

memory/736-3-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Windows\SysWOW64\wmpctv32.exe

MD5 faab0a19040cdb5368b2237656a5cdde
SHA1 7e040852bc17ac3b032d9c9282d3cbd102286d40
SHA256 7524641ec7d2124e05c0aa2a4b874d022d7546a168c3e1fc6719cf2d7dd757a8
SHA512 8be91fe5fe76b0eee45e1681f493d484419ecee704dc2e8e18cc13a5f1b0d86185a70680220c40c3dde20d733a2a36e3b8833cf5b4808cb46dbff35a6beadd78

memory/736-41-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4924-51-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1476-52-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3548-59-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4924-61-0x0000000000400000-0x000000000045A000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4760-70-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3548-71-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1156-79-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4760-80-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1700-88-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1156-89-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1700-92-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4912-99-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2548-105-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4912-107-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1212-115-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2548-116-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1304-124-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1212-125-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1624-133-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1304-137-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4252-143-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1624-147-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2428-155-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4252-158-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4920-165-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2428-168-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1852-176-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1852-174-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4920-179-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3660-186-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1852-189-0x0000000000400000-0x000000000045A000-memory.dmp