metasploit | 2bb11676d3671ade6eb5192012a52e7e1cc339ee6f6c36b3fb0942758856707e

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9782af747d74702719c2da418256e164.exe
Size

235KB
MD5

9782af747d74702719c2da418256e164
SHA1

0ed275cbaeb7ad327172547dc036abdfdca163f5
SHA256

2bb11676d3671ade6eb5192012a52e7e1cc339ee6f6c36b3fb0942758856707e
SHA512

94bd7410ee4f8314a0ce84617a0c87f9b197e54ebd99227cafb8572850cd7abaf12e400c5d368c7277a2e220dfd04078fe448d53410a82bc3429c207a04f8a78
SSDEEP

6144:mutjlpnPEdCtNULSvL68fdda7JWcApjHDn:muVznsSfjXDtDXn

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9782af747d74702719c2da418256e164.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wmiptsn.exe

Deletes itself 1 IoCs

pid	Process
4536	wmiptsn.exe

Executes dropped EXE 64 IoCs

pid	Process
1564	wmiptsn.exe
4536	wmiptsn.exe
4528	wmiptsn.exe
3788	wmiptsn.exe
5056	wmiptsn.exe
5976	wmiptsn.exe
1952	wmiptsn.exe
3088	wmiptsn.exe
5456	wmiptsn.exe
2040	wmiptsn.exe
1428	wmiptsn.exe
1216	wmiptsn.exe
1608	wmiptsn.exe
1440	wmiptsn.exe
3016	wmiptsn.exe
4340	wmiptsn.exe
4360	wmiptsn.exe
3020	wmiptsn.exe
1436	wmiptsn.exe
4396	wmiptsn.exe
5708	wmiptsn.exe
3892	wmiptsn.exe
1592	wmiptsn.exe
2464	wmiptsn.exe
3432	wmiptsn.exe
3944	wmiptsn.exe
2332	wmiptsn.exe
3708	wmiptsn.exe
5356	wmiptsn.exe
5524	wmiptsn.exe
1488	wmiptsn.exe
5856	wmiptsn.exe
5484	wmiptsn.exe
4556	wmiptsn.exe
5208	wmiptsn.exe
4568	wmiptsn.exe
2004	wmiptsn.exe
5232	wmiptsn.exe
3276	wmiptsn.exe
5512	wmiptsn.exe
1916	wmiptsn.exe
916	wmiptsn.exe
3664	wmiptsn.exe
4848	wmiptsn.exe
3356	wmiptsn.exe
856	wmiptsn.exe
3644	wmiptsn.exe
2416	wmiptsn.exe
2764	wmiptsn.exe
620	wmiptsn.exe
2876	wmiptsn.exe
512	wmiptsn.exe
2008	wmiptsn.exe
2828	wmiptsn.exe
2980	wmiptsn.exe
1880	wmiptsn.exe
1972	wmiptsn.exe
464	wmiptsn.exe
3468	wmiptsn.exe
4436	wmiptsn.exe
6124	wmiptsn.exe
4080	wmiptsn.exe
2332	wmiptsn.exe
5996	wmiptsn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File created	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe
File opened for modification	C:\Windows\SysWOW64\wmiptsn.exe	wmiptsn.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1564 set thread context of 4536	1564	wmiptsn.exe	91
PID 4528 set thread context of 3788	4528	wmiptsn.exe	96
PID 5056 set thread context of 5976	5056	wmiptsn.exe	99
PID 1952 set thread context of 3088	1952	wmiptsn.exe	102
PID 5456 set thread context of 2040	5456	wmiptsn.exe	106
PID 1428 set thread context of 1216	1428	wmiptsn.exe	108
PID 1608 set thread context of 1440	1608	wmiptsn.exe	110
PID 3016 set thread context of 4340	3016	wmiptsn.exe	112
PID 4360 set thread context of 3020	4360	wmiptsn.exe	114
PID 1436 set thread context of 4396	1436	wmiptsn.exe	116
PID 5708 set thread context of 3892	5708	wmiptsn.exe	118
PID 1592 set thread context of 2464	1592	wmiptsn.exe	120
PID 3432 set thread context of 3944	3432	wmiptsn.exe	123
PID 2332 set thread context of 3708	2332	wmiptsn.exe	126
PID 5356 set thread context of 5524	5356	wmiptsn.exe	129
PID 1488 set thread context of 5856	1488	wmiptsn.exe	133
PID 5484 set thread context of 4556	5484	wmiptsn.exe	135
PID 5208 set thread context of 4568	5208	wmiptsn.exe	137
PID 2004 set thread context of 5232	2004	wmiptsn.exe	142
PID 3276 set thread context of 5512	3276	wmiptsn.exe	144
PID 1916 set thread context of 916	1916	wmiptsn.exe	146
PID 3664 set thread context of 4848	3664	wmiptsn.exe	148
PID 3356 set thread context of 856	3356	wmiptsn.exe	150
PID 3644 set thread context of 2416	3644	wmiptsn.exe	152
PID 2764 set thread context of 620	2764	wmiptsn.exe	154
PID 2876 set thread context of 512	2876	wmiptsn.exe	156
PID 2008 set thread context of 2828	2008	wmiptsn.exe	158
PID 2980 set thread context of 1880	2980	wmiptsn.exe	160
PID 1972 set thread context of 464	1972	wmiptsn.exe	162
PID 3468 set thread context of 4436	3468	wmiptsn.exe	165
PID 6124 set thread context of 4080	6124	wmiptsn.exe	167
PID 2332 set thread context of 5996	2332	wmiptsn.exe	169
PID 1212 set thread context of 5528	1212	wmiptsn.exe	171
PID 2000 set thread context of 3764	2000	wmiptsn.exe	173
PID 1560 set thread context of 2152	1560	wmiptsn.exe	175
PID 5024 set thread context of 924	5024	wmiptsn.exe	177
PID 5568 set thread context of 608	5568	wmiptsn.exe	179
PID 2768 set thread context of 4768	2768	wmiptsn.exe	181
PID 2524 set thread context of 6056	2524	wmiptsn.exe	183
PID 5220 set thread context of 5328	5220	wmiptsn.exe	185
PID 4676 set thread context of 4488	4676	wmiptsn.exe	187
PID 548 set thread context of 5776	548	wmiptsn.exe	189
PID 1588 set thread context of 1328	1588	wmiptsn.exe	191
PID 1952 set thread context of 532	1952	wmiptsn.exe	193
PID 4428 set thread context of 5532	4428	wmiptsn.exe	195
PID 1632 set thread context of 5800	1632	wmiptsn.exe	197
PID 2436 set thread context of 5288	2436	wmiptsn.exe	199
PID 3644 set thread context of 5968	3644	wmiptsn.exe	201
PID 4696 set thread context of 5728	4696	wmiptsn.exe	203
PID 3876 set thread context of 3336	3876	wmiptsn.exe	205
PID 4076 set thread context of 4360	4076	wmiptsn.exe	207
PID 972 set thread context of 3924	972	wmiptsn.exe	209
PID 5292 set thread context of 5796	5292	wmiptsn.exe	211
PID 4352 set thread context of 2740	4352	wmiptsn.exe	213
PID 1972 set thread context of 4368	1972	wmiptsn.exe	215
PID 5952 set thread context of 3432	5952	wmiptsn.exe	217
PID 3468 set thread context of 2608	3468	wmiptsn.exe	219
PID 1004 set thread context of 6124	1004	wmiptsn.exe	221
PID 4960 set thread context of 3908	4960	wmiptsn.exe	223
PID 4028 set thread context of 5464	4028	wmiptsn.exe	225
PID 4516 set thread context of 1832	4516	wmiptsn.exe	227
PID 1560 set thread context of 3832	1560	wmiptsn.exe	229
PID 1768 set thread context of 2656	1768	wmiptsn.exe	231

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1332-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1332-2-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1332-3-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1332-4-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1332-38-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4536-43-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4536-45-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4536-44-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4536-46-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3788-55-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5976-62-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3088-69-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2040-76-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1216-83-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1440-89-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4340-96-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3020-104-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4396-111-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3892-118-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2464-127-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3944-135-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3708-143-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5524-152-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5856-160-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4556-169-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4568-177-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5232-185-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5512-189-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5512-194-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/916-203-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4848-211-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/856-218-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2416-224-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/620-230-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/512-236-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2828-242-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1880-248-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/464-254-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4436-260-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4080-266-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5996-272-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5528-278-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3764-284-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2152-290-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/924-296-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/608-302-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4768-308-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/6056-314-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5328-320-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4488-326-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5776-332-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1328-338-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/532-344-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5532-350-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5800-356-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5288-362-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5968-368-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5728-374-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3336-380-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4360-386-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3924-392-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5796-398-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2740-404-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4368-410-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9782af747d74702719c2da418256e164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiptsn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_9782af747d74702719c2da418256e164.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmiptsn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	JaffaCakes118_9782af747d74702719c2da418256e164.exe
1332	JaffaCakes118_9782af747d74702719c2da418256e164.exe
4536	wmiptsn.exe
4536	wmiptsn.exe
3788	wmiptsn.exe
3788	wmiptsn.exe
5976	wmiptsn.exe
5976	wmiptsn.exe
3088	wmiptsn.exe
3088	wmiptsn.exe
2040	wmiptsn.exe
2040	wmiptsn.exe
1216	wmiptsn.exe
1216	wmiptsn.exe
1440	wmiptsn.exe
1440	wmiptsn.exe
4340	wmiptsn.exe
4340	wmiptsn.exe
3020	wmiptsn.exe
3020	wmiptsn.exe
4396	wmiptsn.exe
4396	wmiptsn.exe
3892	wmiptsn.exe
3892	wmiptsn.exe
2464	wmiptsn.exe
2464	wmiptsn.exe
3944	wmiptsn.exe
3944	wmiptsn.exe
3708	wmiptsn.exe
3708	wmiptsn.exe
5524	wmiptsn.exe
5524	wmiptsn.exe
5856	wmiptsn.exe
5856	wmiptsn.exe
4556	wmiptsn.exe
4556	wmiptsn.exe
4568	wmiptsn.exe
4568	wmiptsn.exe
5232	wmiptsn.exe
5232	wmiptsn.exe
5512	wmiptsn.exe
5512	wmiptsn.exe
916	wmiptsn.exe
916	wmiptsn.exe
4848	wmiptsn.exe
4848	wmiptsn.exe
856	wmiptsn.exe
856	wmiptsn.exe
2416	wmiptsn.exe
2416	wmiptsn.exe
620	wmiptsn.exe
620	wmiptsn.exe
512	wmiptsn.exe
512	wmiptsn.exe
2828	wmiptsn.exe
2828	wmiptsn.exe
1880	wmiptsn.exe
1880	wmiptsn.exe
464	wmiptsn.exe
464	wmiptsn.exe
4436	wmiptsn.exe
4436	wmiptsn.exe
4080	wmiptsn.exe
4080	wmiptsn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1408 wrote to memory of 1332	1408	JaffaCakes118_9782af747d74702719c2da418256e164.exe	89
PID 1332 wrote to memory of 1564	1332	JaffaCakes118_9782af747d74702719c2da418256e164.exe	90
PID 1332 wrote to memory of 1564	1332	JaffaCakes118_9782af747d74702719c2da418256e164.exe	90
PID 1332 wrote to memory of 1564	1332	JaffaCakes118_9782af747d74702719c2da418256e164.exe	90
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 1564 wrote to memory of 4536	1564	wmiptsn.exe	91
PID 4536 wrote to memory of 4528	4536	wmiptsn.exe	94
PID 4536 wrote to memory of 4528	4536	wmiptsn.exe	94
PID 4536 wrote to memory of 4528	4536	wmiptsn.exe	94
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 4528 wrote to memory of 3788	4528	wmiptsn.exe	96
PID 3788 wrote to memory of 5056	3788	wmiptsn.exe	98
PID 3788 wrote to memory of 5056	3788	wmiptsn.exe	98
PID 3788 wrote to memory of 5056	3788	wmiptsn.exe	98
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5056 wrote to memory of 5976	5056	wmiptsn.exe	99
PID 5976 wrote to memory of 1952	5976	wmiptsn.exe	101
PID 5976 wrote to memory of 1952	5976	wmiptsn.exe	101
PID 5976 wrote to memory of 1952	5976	wmiptsn.exe	101
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 1952 wrote to memory of 3088	1952	wmiptsn.exe	102
PID 3088 wrote to memory of 5456	3088	wmiptsn.exe	105
PID 3088 wrote to memory of 5456	3088	wmiptsn.exe	105
PID 3088 wrote to memory of 5456	3088	wmiptsn.exe	105
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 5456 wrote to memory of 2040	5456	wmiptsn.exe	106
PID 2040 wrote to memory of 1428	2040	wmiptsn.exe	107
PID 2040 wrote to memory of 1428	2040	wmiptsn.exe	107
PID 2040 wrote to memory of 1428	2040	wmiptsn.exe	107
PID 1428 wrote to memory of 1216	1428	wmiptsn.exe	108
PID 1428 wrote to memory of 1216	1428	wmiptsn.exe	108
PID 1428 wrote to memory of 1216	1428	wmiptsn.exe	108
PID 1428 wrote to memory of 1216	1428	wmiptsn.exe	108

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9782af747d74702719c2da418256e164.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9782af747d74702719c2da418256e164.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9782af747d74702719c2da418256e164.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9782af747d74702719c2da418256e164.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\wmiptsn.exe
    "C:\Windows\system32\wmiptsn.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\wmiptsn.exe
      "C:\Windows\SysWOW64\wmiptsn.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5976
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5456
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1608
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4340
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4360
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1436
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5708
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3892
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1592
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3432
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3708
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5356
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5524
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5856
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5484
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4556
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5232
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3276
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5512
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1916
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3664
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3356
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2764
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:620
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:512
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2980
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3468
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2332
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1212
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:2000
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        72⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:5024
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:5568
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2768
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        81⤵
        Suspicious use of SetThreadContext
        
        PID:5220
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        88⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1952
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        95⤵
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        96⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        97⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        101⤵
        Suspicious use of SetThreadContext
        
        PID:3876
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        103⤵
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        107⤵
        Suspicious use of SetThreadContext
        
        PID:5292
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        109⤵
        Suspicious use of SetThreadContext
        
        PID:4352
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        112⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        113⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        115⤵
        Suspicious use of SetThreadContext
        
        PID:3468
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        116⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        119⤵
        Suspicious use of SetThreadContext
        
        PID:4960
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        121⤵
        Suspicious use of SetThreadContext
        
        PID:4028
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4516
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        125⤵
        Suspicious use of SetThreadContext
        
        PID:1560
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        126⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        127⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        128⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\system32\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        129⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\wmiptsn.exe
        
        "C:\Windows\SysWOW64\wmiptsn.exe" C:\Windows\SysWOW64\wmiptsn.exe
        130⤵
        
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmiptsn.exe

Filesize
235KB

MD5
9782af747d74702719c2da418256e164

SHA1
0ed275cbaeb7ad327172547dc036abdfdca163f5

SHA256
2bb11676d3671ade6eb5192012a52e7e1cc339ee6f6c36b3fb0942758856707e

SHA512
94bd7410ee4f8314a0ce84617a0c87f9b197e54ebd99227cafb8572850cd7abaf12e400c5d368c7277a2e220dfd04078fe448d53410a82bc3429c207a04f8a78

Download Submit
memory/464-254-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/512-236-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/532-344-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/608-302-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/620-230-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/856-218-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/916-203-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/924-296-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1216-83-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1328-338-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1332-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1332-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1332-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1332-38-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1332-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1440-89-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1832-446-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1880-248-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2040-76-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2152-290-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2416-224-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2464-127-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2608-422-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2656-458-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2740-404-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2828-242-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3020-104-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3088-69-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3336-380-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3432-416-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3708-143-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3764-284-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3788-55-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3832-452-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3892-118-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3908-434-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3924-392-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3944-135-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4080-266-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4340-96-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4360-386-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4368-410-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4396-111-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4436-260-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4488-326-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4536-45-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4536-46-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4536-44-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4536-43-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4556-169-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4568-177-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4768-308-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4848-211-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5232-185-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5288-362-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5328-320-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5464-440-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5512-194-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5512-189-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5524-152-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5528-278-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5532-350-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5728-374-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5776-332-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5796-398-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5800-356-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5856-160-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5968-368-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5976-62-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5996-272-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/6056-314-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/6124-428-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download