Overview

overview

10

Static

static

3

dd052c3073...18.exe

windows7-x64

3

dd052c3073...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd052c3073b8f29720d0a20b96b932ad_JaffaCakes118.exe

  • Size

    240KB

  • MD5

    dd052c3073b8f29720d0a20b96b932ad

  • SHA1

    09bbe2f8b18d04486319f0215b629f2a1b5da3bb

  • SHA256

    c158c37fd4b94dc68470343fc1753c1d2e5b117294a151c28de14af5ef246e04

  • SHA512

    a1bac3159c743271b9dac992aa0fdc8f1268140dfceccf8b757a048fca97adf9dcfbf1ae667e289751dbebcec108de672e05768139c8b3271a57ec23134fbe02

  • SSDEEP

    6144:TFEZhgTJvIzboy9WEcUMDNjaEsiIW3YgXP:TFjyUy9WoMxOEsFOXXP

Score
10/10
metasploitbackdoordiscoverytrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd052c3073b8f29720d0a20b96b932ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd052c3073b8f29720d0a20b96b932ad_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Users\Admin\AppData\Local\Temp\dd052c3073b8f29720d0a20b96b932ad_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\dd052c3073b8f29720d0a20b96b932ad_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\wmicvrt.exe
        "C:\Windows\system32\wmicvrt.exe" C:\Users\Admin\AppData\Local\Temp\DD052C~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\wmicvrt.exe
          C:\Windows\SysWOW64\wmicvrt.exe C:\Users\Admin\AppData\Local\Temp\DD052C~1.EXE
          4⤵
          • Checks computer location settings
          • Deletes itself
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:32
          • C:\Windows\SysWOW64\wmicvrt.exe
            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2232
            • C:\Windows\SysWOW64\wmicvrt.exe
              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4960
              • C:\Windows\SysWOW64\wmicvrt.exe
                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:616
                • C:\Windows\SysWOW64\wmicvrt.exe
                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4296
                  • C:\Windows\SysWOW64\wmicvrt.exe
                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4620
                    • C:\Windows\SysWOW64\wmicvrt.exe
                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4456
                      • C:\Windows\SysWOW64\wmicvrt.exe
                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:2388
                        • C:\Windows\SysWOW64\wmicvrt.exe
                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:4172
                          • C:\Windows\SysWOW64\wmicvrt.exe
                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:3624
                            • C:\Windows\SysWOW64\wmicvrt.exe
                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1524
                              • C:\Windows\SysWOW64\wmicvrt.exe
                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:1112
                                • C:\Windows\SysWOW64\wmicvrt.exe
                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2948
                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2268
                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1920
                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4968
                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1492
                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2092
                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2112
                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2232
                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5028
                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1856
                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5060
                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3332
                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3092
                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4484
                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:1256
                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1852
                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:1008
                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:3180
                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:380
                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:1260
                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:3540
                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:232
                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:5116
                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1344
                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:4968
                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:892
                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:3024
                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4636
                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:2852
                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:3196
                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:3640
                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:4612
                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:4548
                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2188
                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      PID:1304
                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:3400
                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          PID:2560
                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:1008
                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:1632
                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:524
                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                  56⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Modifies registry class
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:540
                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:440
                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      PID:3524
                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:3468
                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                          60⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies registry class
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:376
                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:2772
                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              PID:3136
                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                PID:4628
                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  PID:4360
                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:4308
                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                      66⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      PID:5088
                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                        67⤵
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:1324
                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                          68⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:1752
                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                            69⤵
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:864
                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                              70⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:4820
                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                71⤵
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                PID:1888
                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:4484
                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:2696
                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:2388
                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:1036
                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:1612
                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:4732
                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:5040
                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                PID:856
                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  PID:2844
                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    PID:3292
                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:4944
                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                        PID:2572
                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                          84⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:4896
                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                            85⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                            PID:3920
                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                              86⤵
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:740
                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                87⤵
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                PID:3816
                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                  88⤵
                                                                                                                                                                                    PID:4480
                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                      89⤵
                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:3956
                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                        90⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:1684
                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                          "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                          91⤵
                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                          PID:4912
                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                            92⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                            PID:3488
                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                              93⤵
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                              PID:4668
                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                94⤵
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:1856
                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                  95⤵
                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                  PID:3204
                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                    96⤵
                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:3588
                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                      97⤵
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                      PID:1956
                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                        98⤵
                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:2188
                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                          "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                          99⤵
                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:4012
                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                            100⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:2780
                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                              101⤵
                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:3528
                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                102⤵
                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                PID:692
                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                  103⤵
                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                  PID:4132
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                    104⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:708
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                      105⤵
                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                      PID:3364
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                        106⤵
                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:2900
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                          "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                          107⤵
                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                          PID:4408
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                            108⤵
                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:5032
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                              109⤵
                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                              PID:5000
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                110⤵
                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:3996
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                  111⤵
                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                  PID:3896
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                    112⤵
                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                    PID:2100
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                      113⤵
                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                      PID:1748
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                        114⤵
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                        PID:4300
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                          115⤵
                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                          PID:5084
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                            116⤵
                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                            PID:4728
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                              117⤵
                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                              PID:4476
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                118⤵
                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                PID:4700
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                  119⤵
                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                  PID:1616
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                    120⤵
                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:2492
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                      121⤵
                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                      PID:1000
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                        122⤵
                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        PID:3964
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                          123⤵
                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                          PID:3536
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                            124⤵
                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                            PID:2148
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                              125⤵
                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                              PID:3428
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                126⤵
                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                PID:2116
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                  PID:2588
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                    128⤵
                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                    PID:3528
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                      129⤵
                                                                                                                                                                                                                                                                        PID:3804
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                          130⤵
                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                          PID:972
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                            131⤵
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:4788
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                              132⤵
                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:1184
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                133⤵
                                                                                                                                                                                                                                                                                  PID:4292
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                    134⤵
                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                    PID:5052
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                      135⤵
                                                                                                                                                                                                                                                                                        PID:1976
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                          136⤵
                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                          PID:4836
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                            137⤵
                                                                                                                                                                                                                                                                                              PID:228
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                138⤵
                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                PID:4596
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                  139⤵
                                                                                                                                                                                                                                                                                                    PID:3816
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                      140⤵
                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                      PID:4384
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                        141⤵
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        PID:2232
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                          142⤵
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                          PID:2332
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                            143⤵
                                                                                                                                                                                                                                                                                                              PID:4912
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                144⤵
                                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                PID:2040
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                  145⤵
                                                                                                                                                                                                                                                                                                                    PID:976
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                      146⤵
                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                      PID:4632
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                        147⤵
                                                                                                                                                                                                                                                                                                                          PID:4724
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                            148⤵
                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                            PID:1388
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                              149⤵
                                                                                                                                                                                                                                                                                                                                PID:2776
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                  150⤵
                                                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                  PID:1264
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                    151⤵
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    PID:752
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                      152⤵
                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      PID:4904
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                        153⤵
                                                                                                                                                                                                                                                                                                                                          PID:4244
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                            154⤵
                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                            PID:2392
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                              155⤵
                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                              PID:4088
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                                156⤵
                                                                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                PID:1092
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\wmicvrt.exe" C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                                  157⤵
                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                  PID:4176
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\wmicvrt.exe C:\Windows\SysWOW64\wmicvrt.exe
                                                                                                                                                                                                                                                                                                                                                    158⤵
                                                                                                                                                                                                                                                                                                                                                      PID:2612

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\SysWOW64\wmicvrt.exe
                            Filesize

                            240KB

                            MD5

                            dd052c3073b8f29720d0a20b96b932ad

                            SHA1

                            09bbe2f8b18d04486319f0215b629f2a1b5da3bb

                            SHA256

                            c158c37fd4b94dc68470343fc1753c1d2e5b117294a151c28de14af5ef246e04

                            SHA512

                            a1bac3159c743271b9dac992aa0fdc8f1268140dfceccf8b757a048fca97adf9dcfbf1ae667e289751dbebcec108de672e05768139c8b3271a57ec23134fbe02

                            Download Submit

                          • memory/32-84-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/32-83-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/32-82-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/32-81-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/32-86-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/376-504-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/380-312-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/380-316-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/540-475-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/540-478-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/692-781-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/708-794-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/740-675-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/972-965-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1008-300-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1092-1134-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1184-978-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1256-285-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1264-1095-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1304-438-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1388-1082-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1492-209-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1524-162-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1612-610-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1612-607-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1632-464-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1684-702-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1752-557-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1856-728-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/1920-194-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2040-1056-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2100-846-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2112-224-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2116-939-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2116-934-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2148-926-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2188-755-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2188-750-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2332-1043-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2388-596-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2392-1121-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2492-894-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2492-899-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2560-451-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2780-768-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2844-636-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2852-395-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2900-807-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2948-174-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2948-179-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3024-379-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3024-372-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3092-269-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3136-517-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3488-715-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3524-491-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3528-952-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3540-331-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3588-741-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3640-410-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3964-912-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/3996-833-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-3-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-9-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-8-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-73-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-2-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-7-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-4-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4080-10-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4172-146-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4172-144-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4172-142-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4172-143-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4296-116-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4296-114-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4296-112-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4296-113-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4296-111-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4300-859-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4360-530-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4384-1030-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4456-126-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4456-128-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4456-127-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4456-132-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4480-689-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4480-686-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4484-585-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4548-425-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4548-422-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4596-1017-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4632-1069-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4700-885-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4728-872-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4820-570-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4836-1004-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4896-662-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4904-1108-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4944-649-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4960-98-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4960-100-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4960-96-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4960-97-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4968-362-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/4968-356-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5028-239-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5032-820-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5040-623-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5052-991-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5060-255-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5088-541-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5088-544-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5116-346-0x0000000000400000-0x0000000000464000-memory.dmp

                            Filesize

                            400KB

                            Download