metasploit | cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

Analysis

max time kernel
153s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
Size

246KB
MD5

86e86de84654b601872d9abb44b61ca3
SHA1

4a24163c53453e02480972d1ea19d14ca4b5fd56
SHA256

cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07
SHA512

cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79
SSDEEP

3072:1U+VOoH6DX8xotADcUj9+lB2CoLIeh8oWRFQ81JShGtx1Y0btryX1BIeA7f/SU+Y:JH6z8hNaBVoLIjobAA0xy0ZylBY7HZP

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
4564	wmihtks.exe
3760	wmihtks.exe
4320	wmihtks.exe
2088	wmihtks.exe
2216	wmihtks.exe
1216	wmihtks.exe
4252	wmihtks.exe
972	wmihtks.exe
3472	wmihtks.exe
3476	wmihtks.exe
1312	wmihtks.exe
4364	wmihtks.exe
5024	wmihtks.exe
820	wmihtks.exe
4208	wmihtks.exe
1632	wmihtks.exe
3928	wmihtks.exe
2548	wmihtks.exe
4000	wmihtks.exe
1404	wmihtks.exe
348	wmihtks.exe
1108	wmihtks.exe
4248	wmihtks.exe
2656	wmihtks.exe
1940	wmihtks.exe
5028	wmihtks.exe
1792	wmihtks.exe
3624	wmihtks.exe
1088	wmihtks.exe
1072	wmihtks.exe
3560	wmihtks.exe
1556	wmihtks.exe
1536	wmihtks.exe
4192	wmihtks.exe
3824	wmihtks.exe
4940	wmihtks.exe
3864	wmihtks.exe
1236	wmihtks.exe
4600	wmihtks.exe
4320	wmihtks.exe
5104	wmihtks.exe
3844	wmihtks.exe
3856	wmihtks.exe
3324	wmihtks.exe
3744	wmihtks.exe
3284	wmihtks.exe
3328	wmihtks.exe
3912	wmihtks.exe
4648	wmihtks.exe
4212	wmihtks.exe
3080	wmihtks.exe
1816	wmihtks.exe
2460	wmihtks.exe
3216	wmihtks.exe
3848	wmihtks.exe
4972	wmihtks.exe
696	wmihtks.exe
1956	wmihtks.exe
1124	wmihtks.exe
4004	wmihtks.exe
4424	wmihtks.exe
4348	wmihtks.exe
4360	wmihtks.exe
1760	wmihtks.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/312-133-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/312-135-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/312-136-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/312-137-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/312-141-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3760-148-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3760-151-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2088-156-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2088-157-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2088-158-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2088-161-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1216-168-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1216-171-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/972-178-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/972-181-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3476-188-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3476-191-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4364-198-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4364-201-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/820-208-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/820-211-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1632-218-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1632-221-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2548-228-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2548-232-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1404-239-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1404-242-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1108-249-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1108-252-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2656-259-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/2656-262-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/5028-269-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/5028-272-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3624-279-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3624-282-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1072-289-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1072-292-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1556-299-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1556-302-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4192-309-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4192-312-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4940-319-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4940-322-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1236-329-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1236-332-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4320-339-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4320-342-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3844-349-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3844-352-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3324-359-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3324-361-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3284-367-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3284-369-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3912-375-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3912-377-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4212-383-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4212-385-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1816-391-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1816-393-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3216-399-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/3216-401-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4972-407-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4972-409-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/1956-415-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihtks.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File opened for modification	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe
File created	C:\Windows\SysWOW64\wmihtks.exe	wmihtks.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 4564 set thread context of 3760	4564	wmihtks.exe	87
PID 4320 set thread context of 2088	4320	wmihtks.exe	92
PID 2216 set thread context of 1216	2216	wmihtks.exe	94
PID 4252 set thread context of 972	4252	wmihtks.exe	96
PID 3472 set thread context of 3476	3472	wmihtks.exe	99
PID 1312 set thread context of 4364	1312	wmihtks.exe	101
PID 5024 set thread context of 820	5024	wmihtks.exe	105
PID 4208 set thread context of 1632	4208	wmihtks.exe	107
PID 3928 set thread context of 2548	3928	wmihtks.exe	109
PID 4000 set thread context of 1404	4000	wmihtks.exe	111
PID 348 set thread context of 1108	348	wmihtks.exe	113
PID 4248 set thread context of 2656	4248	wmihtks.exe	115
PID 1940 set thread context of 5028	1940	wmihtks.exe	118
PID 1792 set thread context of 3624	1792	wmihtks.exe	120
PID 1088 set thread context of 1072	1088	wmihtks.exe	122
PID 3560 set thread context of 1556	3560	wmihtks.exe	124
PID 1536 set thread context of 4192	1536	wmihtks.exe	127
PID 3824 set thread context of 4940	3824	wmihtks.exe	129
PID 3864 set thread context of 1236	3864	wmihtks.exe	132
PID 4600 set thread context of 4320	4600	wmihtks.exe	135
PID 5104 set thread context of 3844	5104	wmihtks.exe	139
PID 3856 set thread context of 3324	3856	wmihtks.exe	142
PID 3744 set thread context of 3284	3744	wmihtks.exe	145
PID 3328 set thread context of 3912	3328	wmihtks.exe	147
PID 4648 set thread context of 4212	4648	wmihtks.exe	149
PID 3080 set thread context of 1816	3080	wmihtks.exe	151
PID 2460 set thread context of 3216	2460	wmihtks.exe	153
PID 3848 set thread context of 4972	3848	wmihtks.exe	155
PID 696 set thread context of 1956	696	wmihtks.exe	157
PID 1124 set thread context of 4004	1124	wmihtks.exe	159
PID 4424 set thread context of 4348	4424	wmihtks.exe	161
PID 4360 set thread context of 1760	4360	wmihtks.exe	163
PID 1748 set thread context of 4088	1748	wmihtks.exe	165
PID 524 set thread context of 2916	524	wmihtks.exe	167
PID 4904 set thread context of 1300	4904	wmihtks.exe	169
PID 3024 set thread context of 5024	3024	wmihtks.exe	171
PID 1260 set thread context of 4208	1260	wmihtks.exe	173
PID 4292 set thread context of 832	4292	wmihtks.exe	175
PID 3668 set thread context of 1348	3668	wmihtks.exe	177
PID 4776 set thread context of 2460	4776	wmihtks.exe	180
PID 2640 set thread context of 4428	2640	wmihtks.exe	182
PID 5084 set thread context of 4560	5084	wmihtks.exe	184
PID 2772 set thread context of 1736	2772	wmihtks.exe	186
PID 2720 set thread context of 2832	2720	wmihtks.exe	188
PID 2524 set thread context of 4484	2524	wmihtks.exe	190
PID 3768 set thread context of 1392	3768	wmihtks.exe	192
PID 3856 set thread context of 3380	3856	wmihtks.exe	194
PID 2300 set thread context of 3724	2300	wmihtks.exe	196
PID 4104 set thread context of 3800	4104	wmihtks.exe	198
PID 3924 set thread context of 320	3924	wmihtks.exe	200
PID 2316 set thread context of 3852	2316	wmihtks.exe	202
PID 4584 set thread context of 3308	4584	wmihtks.exe	204
PID 1260 set thread context of 2820	1260	wmihtks.exe	206
PID 8 set thread context of 4292	8	wmihtks.exe	208
PID 2516 set thread context of 3668	2516	wmihtks.exe	210
PID 4680 set thread context of 4764	4680	wmihtks.exe	212
PID 4600 set thread context of 3032	4600	wmihtks.exe	214
PID 656 set thread context of 2436	656	wmihtks.exe	216
PID 4796 set thread context of 5000	4796	wmihtks.exe	218
PID 696 set thread context of 1792	696	wmihtks.exe	220
PID 3788 set thread context of 3840	3788	wmihtks.exe	222
PID 5064 set thread context of 4848	5064	wmihtks.exe	224
PID 4532 set thread context of 1988	4532	wmihtks.exe	226

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmihtks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
312	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
312	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
3760	wmihtks.exe
3760	wmihtks.exe
2088	wmihtks.exe
2088	wmihtks.exe
1216	wmihtks.exe
1216	wmihtks.exe
972	wmihtks.exe
972	wmihtks.exe
3476	wmihtks.exe
3476	wmihtks.exe
4364	wmihtks.exe
4364	wmihtks.exe
820	wmihtks.exe
820	wmihtks.exe
1632	wmihtks.exe
1632	wmihtks.exe
2548	wmihtks.exe
2548	wmihtks.exe
1404	wmihtks.exe
1404	wmihtks.exe
1108	wmihtks.exe
1108	wmihtks.exe
2656	wmihtks.exe
2656	wmihtks.exe
5028	wmihtks.exe
5028	wmihtks.exe
3624	wmihtks.exe
3624	wmihtks.exe
1072	wmihtks.exe
1072	wmihtks.exe
1556	wmihtks.exe
1556	wmihtks.exe
4192	wmihtks.exe
4192	wmihtks.exe
4940	wmihtks.exe
4940	wmihtks.exe
1236	wmihtks.exe
1236	wmihtks.exe
4320	wmihtks.exe
4320	wmihtks.exe
3844	wmihtks.exe
3844	wmihtks.exe
3324	wmihtks.exe
3324	wmihtks.exe
3284	wmihtks.exe
3284	wmihtks.exe
3912	wmihtks.exe
3912	wmihtks.exe
4212	wmihtks.exe
4212	wmihtks.exe
1816	wmihtks.exe
1816	wmihtks.exe
3216	wmihtks.exe
3216	wmihtks.exe
4972	wmihtks.exe
4972	wmihtks.exe
1956	wmihtks.exe
1956	wmihtks.exe
4004	wmihtks.exe
4004	wmihtks.exe
4348	wmihtks.exe
4348	wmihtks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 3800 wrote to memory of 312	3800	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	85
PID 312 wrote to memory of 4564	312	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	86
PID 312 wrote to memory of 4564	312	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	86
PID 312 wrote to memory of 4564	312	cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe	86
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 4564 wrote to memory of 3760	4564	wmihtks.exe	87
PID 3760 wrote to memory of 4320	3760	wmihtks.exe	91
PID 3760 wrote to memory of 4320	3760	wmihtks.exe	91
PID 3760 wrote to memory of 4320	3760	wmihtks.exe	91
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 4320 wrote to memory of 2088	4320	wmihtks.exe	92
PID 2088 wrote to memory of 2216	2088	wmihtks.exe	93
PID 2088 wrote to memory of 2216	2088	wmihtks.exe	93
PID 2088 wrote to memory of 2216	2088	wmihtks.exe	93
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 2216 wrote to memory of 1216	2216	wmihtks.exe	94
PID 1216 wrote to memory of 4252	1216	wmihtks.exe	95
PID 1216 wrote to memory of 4252	1216	wmihtks.exe	95
PID 1216 wrote to memory of 4252	1216	wmihtks.exe	95
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 4252 wrote to memory of 972	4252	wmihtks.exe	96
PID 972 wrote to memory of 3472	972	wmihtks.exe	98
PID 972 wrote to memory of 3472	972	wmihtks.exe	98
PID 972 wrote to memory of 3472	972	wmihtks.exe	98
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3472 wrote to memory of 3476	3472	wmihtks.exe	99
PID 3476 wrote to memory of 1312	3476	wmihtks.exe	100
PID 3476 wrote to memory of 1312	3476	wmihtks.exe	100
PID 3476 wrote to memory of 1312	3476	wmihtks.exe	100
PID 1312 wrote to memory of 4364	1312	wmihtks.exe	101
PID 1312 wrote to memory of 4364	1312	wmihtks.exe	101
PID 1312 wrote to memory of 4364	1312	wmihtks.exe	101
PID 1312 wrote to memory of 4364	1312	wmihtks.exe	101

C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
"C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe
  "C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe" C:\Users\Admin\AppData\Local\Temp\cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\SysWOW64\wmihtks.exe
    "C:\Windows\system32\wmihtks.exe" C:\Users\Admin\AppData\Local\Temp\CFDEC7~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\wmihtks.exe
      "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Users\Admin\AppData\Local\Temp\CFDEC7~1.EXE
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5024
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4208
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3928
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4000
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:348
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4248
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1940
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1792
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1088
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        32⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1072
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3560
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1536
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3824
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3864
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1236
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4600
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        42⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4320
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5104
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        44⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3844
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3856
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3324
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3744
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        48⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3284
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3328
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        50⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4648
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        52⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3080
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        54⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2460
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        56⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3216
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3848
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        58⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:696
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        60⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1124
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        62⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4424
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        64⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4360
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:524
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4904
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:3024
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:1260
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:4292
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        79⤵
        Suspicious use of SetThreadContext
        
        PID:3668
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        81⤵
        Suspicious use of SetThreadContext
        
        PID:4776
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2640
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        85⤵
        Suspicious use of SetThreadContext
        
        PID:5084
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2720
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2524
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3768
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        95⤵
        Suspicious use of SetThreadContext
        
        PID:3856
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        97⤵
        Suspicious use of SetThreadContext
        
        PID:2300
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        98⤵
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        99⤵
        Suspicious use of SetThreadContext
        
        PID:4104
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        101⤵
        Suspicious use of SetThreadContext
        
        PID:3924
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2316
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        105⤵
        Suspicious use of SetThreadContext
        
        PID:4584
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1260
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        109⤵
        Suspicious use of SetThreadContext
        
        PID:8
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        111⤵
        Suspicious use of SetThreadContext
        
        PID:2516
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        113⤵
        Suspicious use of SetThreadContext
        
        PID:4680
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        114⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        115⤵
        Suspicious use of SetThreadContext
        
        PID:4600
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        117⤵
        Suspicious use of SetThreadContext
        
        PID:656
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        119⤵
        Suspicious use of SetThreadContext
        
        PID:4796
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        120⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        121⤵
        Suspicious use of SetThreadContext
        
        PID:696
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        123⤵
        Suspicious use of SetThreadContext
        
        PID:3788
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        125⤵
        Suspicious use of SetThreadContext
        
        PID:5064
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        126⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        127⤵
        Suspicious use of SetThreadContext
        
        PID:4532
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        129⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        131⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        133⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        134⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        135⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        137⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        139⤵
        
        PID:428
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        140⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        141⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        142⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        143⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        144⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        145⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        146⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        147⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        148⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        149⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        150⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        151⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        152⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        153⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        155⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\wmihtks.exe
        
        "C:\Windows\SysWOW64\wmihtks.exe" C:\Windows\system32\wmihtks.exe" C:\Windows\SysWOW64\wmihtks.exe
        156⤵
        
        PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
C:\Windows\SysWOW64\wmihtks.exe

Filesize
246KB

MD5
86e86de84654b601872d9abb44b61ca3

SHA1
4a24163c53453e02480972d1ea19d14ca4b5fd56

SHA256
cfdec725a493e23102e3f3ce6babbbc5260c4d399c6d9e1c8083720e4552cb07

SHA512
cc1cdf14ffc346fe1317afa01803fb99e94b76e1955927d6e17e7c8077294db590586f82db93ddb04a1488b1a1cf6f08930d9e991f3a225fd3f7a83cc8b0bf79

Download Submit
memory/312-137-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/312-136-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/312-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/312-135-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/312-141-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/820-211-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/820-208-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/972-181-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/972-178-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1072-292-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1072-289-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1108-249-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1108-252-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1216-168-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1216-171-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1236-329-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1236-332-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1404-239-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1404-242-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1556-299-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1556-302-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1632-218-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1632-221-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1816-393-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1816-391-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1956-417-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1956-415-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-158-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-156-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-157-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-161-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-232-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-228-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2656-259-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2656-262-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3216-399-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3216-401-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3284-367-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3284-369-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3324-361-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3324-359-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3476-188-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3476-191-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3624-279-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3624-282-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3760-151-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3760-148-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3844-352-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3844-349-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3912-377-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3912-375-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4004-425-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4004-423-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4192-312-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4192-309-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4212-383-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4212-385-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4320-339-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4320-342-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4348-431-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4348-433-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4364-198-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4364-201-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4940-319-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4940-322-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4972-409-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4972-407-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5028-269-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5028-272-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download