metasploit | cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

Analysis

max time kernel
152s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
Size

246KB
MD5

86e86de84654b601872d9abb44b61ca3
SHA1

4a24163c53453e02480972d1ea19d14ca4b5fd56
SHA256

cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07
SHA512

cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79
SSDEEP

3072:1U+VOoH6DX8xotADcUj9+lB2CoLIeh8oWRFQ81JShGtx1Y0btryX1BIeA7f/SU+Y:JH6z8hNaBVoLIjobAA0xy0ZylBY7HZP

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
1512	wmihtks.exe
1336	wmihtks.exe
560	wmihtks.exe
1368	wmihtks.exe
1528	wmihtks.exe
1824	wmihtks.exe
1624	wmihtks.exe
1260	wmihtks.exe
1804	wmihtks.exe
952	wmihtks.exe
1596	wmihtks.exe
1164	wmihtks.exe
1264	wmihtks.exe
832	wmihtks.exe
1688	wmihtks.exe
856	wmihtks.exe
1668	wmihtks.exe
1640	wmihtks.exe
1032	wmihtks.exe
968	wmihtks.exe
944	wmihtks.exe
1196	wmihtks.exe
1520	wmihtks.exe
1772	wmihtks.exe
844	wmihtks.exe
392	wmihtks.exe
1488	wmihtks.exe
1352	wmihtks.exe
628	wmihtks.exe
240	wmihtks.exe
1964	wmihtks.exe
1268	wmihtks.exe
1416	wmihtks.exe
1276	wmihtks.exe
872	wmihtks.exe
1060	wmihtks.exe
1144	wmihtks.exe
340	wmihtks.exe
1012	wmihtks.exe
1652	wmihtks.exe
1592	wmihtks.exe
948	wmihtks.exe
1864	wmihtks.exe
584	wmihtks.exe
268	wmihtks.exe
1780	wmihtks.exe
2016	wmihtks.exe
364	wmihtks.exe
1488	wmihtks.exe
924	wmihtks.exe
980	wmihtks.exe
1576	wmihtks.exe
480	wmihtks.exe
1200	wmihtks.exe
688	wmihtks.exe
1112	wmihtks.exe
1808	wmihtks.exe
1724	wmihtks.exe
1468	wmihtks.exe
1144	wmihtks.exe
1012	wmihtks.exe
580	wmihtks.exe
1596	wmihtks.exe
1592	wmihtks.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-55-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-57-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-58-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-61-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-63-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-64-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-65-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-69-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1336-80-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1336-81-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1336-82-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1336-86-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1368-96-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1368-97-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1368-98-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1368-102-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1824-114-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1824-118-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1260-128-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1260-129-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1260-130-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1260-135-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/952-143-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/952-146-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1164-158-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1164-162-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/832-174-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/832-178-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/856-190-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/856-194-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1640-206-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1640-211-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/968-223-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/968-227-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1196-239-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1196-244-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1772-256-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1772-260-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/392-272-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/392-277-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1352-289-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1352-293-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/240-305-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/240-309-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1268-321-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1268-326-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1276-338-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1276-342-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1060-353-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1060-355-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/340-366-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/340-368-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1652-379-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1652-381-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/948-392-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/948-394-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/584-405-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/584-407-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1780-418-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1780-420-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/364-431-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/364-433-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/924-444-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/924-446-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Loads dropped DLL 43 IoCs

pid	Process
2004	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
1336	wmihtks.exe
1368	wmihtks.exe
1824	wmihtks.exe
1260	wmihtks.exe
952	wmihtks.exe
1164	wmihtks.exe
832	wmihtks.exe
856	wmihtks.exe
1640	wmihtks.exe
968	wmihtks.exe
1196	wmihtks.exe
1772	wmihtks.exe
392	wmihtks.exe
1352	wmihtks.exe
240	wmihtks.exe
1268	wmihtks.exe
1276	wmihtks.exe
1060	wmihtks.exe
340	wmihtks.exe
1652	wmihtks.exe
948	wmihtks.exe
584	wmihtks.exe
1780	wmihtks.exe
364	wmihtks.exe
924	wmihtks.exe
1576	wmihtks.exe
1200	wmihtks.exe
1112	wmihtks.exe
1724	wmihtks.exe
1144	wmihtks.exe
580	wmihtks.exe
1592	wmihtks.exe
520	wmihtks.exe
1992	wmihtks.exe
1668	wmihtks.exe
1312	wmihtks.exe
1580	wmihtks.exe
1900	wmihtks.exe
1536	wmihtks.exe
1616	wmihtks.exe
1800	wmihtks.exe
1296	wmihtks.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe

Suspicious use of SetThreadContext 44 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1512 set thread context of 1336	1512	wmihtks.exe	30
PID 560 set thread context of 1368	560	wmihtks.exe	32
PID 1528 set thread context of 1824	1528	wmihtks.exe	34
PID 1624 set thread context of 1260	1624	wmihtks.exe	36
PID 1804 set thread context of 952	1804	wmihtks.exe	38
PID 1596 set thread context of 1164	1596	wmihtks.exe	40
PID 1264 set thread context of 832	1264	wmihtks.exe	42
PID 1688 set thread context of 856	1688	wmihtks.exe	44
PID 1668 set thread context of 1640	1668	wmihtks.exe	46
PID 1032 set thread context of 968	1032	wmihtks.exe	48
PID 944 set thread context of 1196	944	wmihtks.exe	50
PID 1520 set thread context of 1772	1520	wmihtks.exe	52
PID 844 set thread context of 392	844	wmihtks.exe	54
PID 1488 set thread context of 1352	1488	wmihtks.exe	56
PID 628 set thread context of 240	628	wmihtks.exe	58
PID 1964 set thread context of 1268	1964	wmihtks.exe	60
PID 1416 set thread context of 1276	1416	wmihtks.exe	62
PID 872 set thread context of 1060	872	wmihtks.exe	64
PID 1144 set thread context of 340	1144	wmihtks.exe	66
PID 1012 set thread context of 1652	1012	wmihtks.exe	68
PID 1592 set thread context of 948	1592	wmihtks.exe	70
PID 1864 set thread context of 584	1864	wmihtks.exe	72
PID 268 set thread context of 1780	268	wmihtks.exe	74
PID 2016 set thread context of 364	2016	wmihtks.exe	76
PID 1488 set thread context of 924	1488	wmihtks.exe	78
PID 980 set thread context of 1576	980	wmihtks.exe	80
PID 480 set thread context of 1200	480	wmihtks.exe	82
PID 688 set thread context of 1112	688	wmihtks.exe	84
PID 1808 set thread context of 1724	1808	wmihtks.exe	86
PID 1468 set thread context of 1144	1468	wmihtks.exe	88
PID 1012 set thread context of 580	1012	wmihtks.exe	90
PID 1596 set thread context of 1592	1596	wmihtks.exe	92
PID 1512 set thread context of 520	1512	wmihtks.exe	94
PID 1868 set thread context of 1992	1868	wmihtks.exe	96
PID 1688 set thread context of 1668	1688	wmihtks.exe	98
PID 840 set thread context of 1312	840	wmihtks.exe	100
PID 944 set thread context of 1580	944	wmihtks.exe	102
PID 1996 set thread context of 1900	1996	wmihtks.exe	104
PID 1264 set thread context of 1536	1264	wmihtks.exe	106
PID 1496 set thread context of 1616	1496	wmihtks.exe	108
PID 568 set thread context of 1800	568	wmihtks.exe	110
PID 1532 set thread context of 1296	1532	wmihtks.exe	112
PID 1436 set thread context of 480	1436	wmihtks.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2004	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
1336	wmihtks.exe
1368	wmihtks.exe
1824	wmihtks.exe
1260	wmihtks.exe
1164	wmihtks.exe
832	wmihtks.exe
856	wmihtks.exe
1640	wmihtks.exe
968	wmihtks.exe
1196	wmihtks.exe
1772	wmihtks.exe
392	wmihtks.exe
1352	wmihtks.exe
240	wmihtks.exe
1268	wmihtks.exe
1276	wmihtks.exe
1060	wmihtks.exe
340	wmihtks.exe
1652	wmihtks.exe
948	wmihtks.exe
584	wmihtks.exe
1780	wmihtks.exe
364	wmihtks.exe
924	wmihtks.exe
1576	wmihtks.exe
1200	wmihtks.exe
1112	wmihtks.exe
1724	wmihtks.exe
1144	wmihtks.exe
580	wmihtks.exe
1592	wmihtks.exe
520	wmihtks.exe
1992	wmihtks.exe
1668	wmihtks.exe
1312	wmihtks.exe
1580	wmihtks.exe
1900	wmihtks.exe
1536	wmihtks.exe
1616	wmihtks.exe
1800	wmihtks.exe
1296	wmihtks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 1956 wrote to memory of 2004	1956	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	28
PID 2004 wrote to memory of 1512	2004	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	29
PID 2004 wrote to memory of 1512	2004	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	29
PID 2004 wrote to memory of 1512	2004	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	29
PID 2004 wrote to memory of 1512	2004	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	29
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1512 wrote to memory of 1336	1512	wmihtks.exe	30
PID 1336 wrote to memory of 560	1336	wmihtks.exe	31
PID 1336 wrote to memory of 560	1336	wmihtks.exe	31
PID 1336 wrote to memory of 560	1336	wmihtks.exe	31
PID 1336 wrote to memory of 560	1336	wmihtks.exe	31
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 560 wrote to memory of 1368	560	wmihtks.exe	32
PID 1368 wrote to memory of 1528	1368	wmihtks.exe	33
PID 1368 wrote to memory of 1528	1368	wmihtks.exe	33
PID 1368 wrote to memory of 1528	1368	wmihtks.exe	33
PID 1368 wrote to memory of 1528	1368	wmihtks.exe	33
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1528 wrote to memory of 1824	1528	wmihtks.exe	34
PID 1824 wrote to memory of 1624	1824	wmihtks.exe	35
PID 1824 wrote to memory of 1624	1824	wmihtks.exe	35
PID 1824 wrote to memory of 1624	1824	wmihtks.exe	35
PID 1824 wrote to memory of 1624	1824	wmihtks.exe	35
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1624 wrote to memory of 1260	1624	wmihtks.exe	36
PID 1260 wrote to memory of 1804	1260	wmihtks.exe	37
PID 1260 wrote to memory of 1804	1260	wmihtks.exe	37
PID 1260 wrote to memory of 1804	1260	wmihtks.exe	37
PID 1260 wrote to memory of 1804	1260	wmihtks.exe	37
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1804 wrote to memory of 952	1804	wmihtks.exe	38
PID 1596 wrote to memory of 1164	1596	wmihtks.exe	40
PID 1596 wrote to memory of 1164	1596	wmihtks.exe	40

C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
"C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
  "C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe" C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\wmihtks.exe
    "C:\Windows\system32\wmihtks.exe" C:\Users\Admin\AppData\Local\Temp\CFDEC7~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\wmihtks.exe
      "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Users\Admin\AppData\Local\Temp\CFDEC7~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:560
      - C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:952
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1264
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1688
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1668
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1032
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:944
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1520
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:844
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:392
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1352
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:628
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1964
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1416
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1276
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:872
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1144
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:340
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1012
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1592
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1864
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:268
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2016
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:980
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:480
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:688
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1808
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1468
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1012
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:580
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1596
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        66⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1512
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        68⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:520
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1868
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        70⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1688
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        72⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:840
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        74⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:944
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        76⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1996
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        78⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        79⤵
        Suspicious use of SetThreadContext
        
        PID:1264
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        80⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1496
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        82⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:568
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        84⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        85⤵
        Suspicious use of SetThreadContext
        
        PID:1532
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        86⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1436
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        88⤵
        
        PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
memory/240-309-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/240-305-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/340-368-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/340-366-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/364-433-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/364-431-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/392-277-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/392-272-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/580-522-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/584-405-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/584-407-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/832-178-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/832-174-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/856-190-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/856-194-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/924-444-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/924-446-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/948-394-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/948-392-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/952-146-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/952-143-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/968-227-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/968-223-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1060-355-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1060-353-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1112-483-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1112-485-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1144-511-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1144-509-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1164-158-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1164-162-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1196-244-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1196-239-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1200-472-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1200-470-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1260-128-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1260-135-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1260-130-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1260-129-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1268-321-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1268-326-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1276-342-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1276-338-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1336-82-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1336-81-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1336-80-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1336-86-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1352-293-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1352-289-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1368-96-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1368-98-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1368-102-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1368-97-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1576-459-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1576-457-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1640-206-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1640-211-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1652-379-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1652-381-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1724-498-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1724-496-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-260-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-256-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1780-420-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1780-418-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1824-118-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1824-114-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-61-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-62-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/2004-63-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-64-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-69-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-58-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-57-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-55-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download