metasploit | 8c0b64250cc45b6355e000c19f84277ed36c82db1ee2a7a0b1b7b61715f637c8

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e5c2b62d47728b11de9bbd9411f287.exe
Size

232KB
MD5

c0e5c2b62d47728b11de9bbd9411f287
SHA1

a95e8de5f747018729f10bd29c8105382952d8da
SHA256

8c0b64250cc45b6355e000c19f84277ed36c82db1ee2a7a0b1b7b61715f637c8
SHA512

f87ea7ece09df6d2652cd566fbeb3b37d8277e8edd0d1ec8a5cfbd969261105447a95ea874a1a0b167539b445f6964edb4bacd70b8b5caa46134f12333aa68a7
SSDEEP

3072:iS9RUUb0IYRCN5PJRayrDQJzYqr0zJDITKbhduOToZlpK0IMgmVEx+hRF4q5ETF:TblYR2TwyX4YqrUIOXYnWM9Kqgq5E

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2600	wmispqd.exe

Executes dropped EXE 64 IoCs

pid	Process
2588	wmispqd.exe
2600	wmispqd.exe
2492	wmispqd.exe
2976	wmispqd.exe
2680	wmispqd.exe
2636	wmispqd.exe
760	wmispqd.exe
1808	wmispqd.exe
1544	wmispqd.exe
1284	wmispqd.exe
536	wmispqd.exe
1492	wmispqd.exe
1908	wmispqd.exe
2104	wmispqd.exe
840	wmispqd.exe
912	wmispqd.exe
2800	wmispqd.exe
2952	wmispqd.exe
1412	wmispqd.exe
1408	wmispqd.exe
2456	wmispqd.exe
2728	wmispqd.exe
2948	wmispqd.exe
2508	wmispqd.exe
1192	wmispqd.exe
1832	wmispqd.exe
2912	wmispqd.exe
760	wmispqd.exe
1868	wmispqd.exe
2280	wmispqd.exe
1164	wmispqd.exe
1484	wmispqd.exe
2416	wmispqd.exe
2156	wmispqd.exe
1624	wmispqd.exe
1732	wmispqd.exe
1700	wmispqd.exe
2448	wmispqd.exe
2356	wmispqd.exe
2540	wmispqd.exe
2732	wmispqd.exe
2804	wmispqd.exe
2440	wmispqd.exe
2168	wmispqd.exe
2648	wmispqd.exe
2936	wmispqd.exe
2240	wmispqd.exe
1816	wmispqd.exe
2212	wmispqd.exe
2364	wmispqd.exe
664	wmispqd.exe
1868	wmispqd.exe
536	wmispqd.exe
1788	wmispqd.exe
2288	wmispqd.exe
1348	wmispqd.exe
2400	wmispqd.exe
2232	wmispqd.exe
1588	wmispqd.exe
2144	wmispqd.exe
2580	wmispqd.exe
2576	wmispqd.exe
1796	wmispqd.exe
2184	wmispqd.exe

Loads dropped DLL 64 IoCs

pid	Process
3048	c0e5c2b62d47728b11de9bbd9411f287.exe
3048	c0e5c2b62d47728b11de9bbd9411f287.exe
2588	wmispqd.exe
2600	wmispqd.exe
2600	wmispqd.exe
2976	wmispqd.exe
2976	wmispqd.exe
2636	wmispqd.exe
2636	wmispqd.exe
1808	wmispqd.exe
1808	wmispqd.exe
1284	wmispqd.exe
1284	wmispqd.exe
1492	wmispqd.exe
1492	wmispqd.exe
2104	wmispqd.exe
2104	wmispqd.exe
912	wmispqd.exe
912	wmispqd.exe
2952	wmispqd.exe
2952	wmispqd.exe
1408	wmispqd.exe
1408	wmispqd.exe
2728	wmispqd.exe
2728	wmispqd.exe
2508	wmispqd.exe
2508	wmispqd.exe
1832	wmispqd.exe
1832	wmispqd.exe
760	wmispqd.exe
760	wmispqd.exe
2280	wmispqd.exe
2280	wmispqd.exe
1484	wmispqd.exe
1484	wmispqd.exe
2156	wmispqd.exe
2156	wmispqd.exe
1732	wmispqd.exe
1732	wmispqd.exe
2448	wmispqd.exe
2448	wmispqd.exe
2540	wmispqd.exe
2540	wmispqd.exe
2804	wmispqd.exe
2804	wmispqd.exe
2168	wmispqd.exe
2168	wmispqd.exe
2936	wmispqd.exe
2936	wmispqd.exe
1816	wmispqd.exe
1816	wmispqd.exe
2364	wmispqd.exe
2364	wmispqd.exe
1868	wmispqd.exe
1868	wmispqd.exe
1788	wmispqd.exe
1788	wmispqd.exe
1348	wmispqd.exe
1348	wmispqd.exe
2232	wmispqd.exe
2232	wmispqd.exe
2144	wmispqd.exe
2144	wmispqd.exe
2576	wmispqd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-5-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-7-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-9-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-14-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-15-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-16-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-17-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3048-28-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2600-52-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2600-51-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2600-50-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2600-49-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2600-56-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2976-73-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2976-77-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2976-81-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2636-99-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2636-102-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2636-111-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1808-127-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1808-130-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1808-137-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1284-154-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1284-157-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1284-165-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1492-182-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1492-185-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1492-193-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2104-208-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2104-211-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2104-219-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/912-236-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/912-245-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2952-260-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2952-268-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1408-286-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1408-289-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1408-297-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2728-316-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2728-317-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2728-325-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2508-344-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2508-353-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-370-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-373-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-379-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/760-395-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/760-399-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2280-417-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2280-418-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2280-422-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1484-440-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1484-442-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1484-446-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2156-463-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2156-466-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2156-470-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1732-487-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	c0e5c2b62d47728b11de9bbd9411f287.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	c0e5c2b62d47728b11de9bbd9411f287.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File created	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe
File opened for modification	C:\Windows\SysWOW64\wmispqd.exe	wmispqd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2588 set thread context of 2600	2588	wmispqd.exe	30
PID 2492 set thread context of 2976	2492	wmispqd.exe	32
PID 2680 set thread context of 2636	2680	wmispqd.exe	34
PID 760 set thread context of 1808	760	wmispqd.exe	36
PID 1544 set thread context of 1284	1544	wmispqd.exe	38
PID 536 set thread context of 1492	536	wmispqd.exe	40
PID 1908 set thread context of 2104	1908	wmispqd.exe	42
PID 840 set thread context of 912	840	wmispqd.exe	44
PID 2800 set thread context of 2952	2800	wmispqd.exe	46
PID 1412 set thread context of 1408	1412	wmispqd.exe	48
PID 2456 set thread context of 2728	2456	wmispqd.exe	50
PID 2948 set thread context of 2508	2948	wmispqd.exe	52
PID 1192 set thread context of 1832	1192	wmispqd.exe	54
PID 2912 set thread context of 760	2912	wmispqd.exe	56
PID 1868 set thread context of 2280	1868	wmispqd.exe	58
PID 1164 set thread context of 1484	1164	wmispqd.exe	60
PID 2416 set thread context of 2156	2416	wmispqd.exe	62
PID 1624 set thread context of 1732	1624	wmispqd.exe	64
PID 1700 set thread context of 2448	1700	wmispqd.exe	66
PID 2356 set thread context of 2540	2356	wmispqd.exe	68
PID 2732 set thread context of 2804	2732	wmispqd.exe	70
PID 2440 set thread context of 2168	2440	wmispqd.exe	72
PID 2648 set thread context of 2936	2648	wmispqd.exe	74
PID 2240 set thread context of 1816	2240	wmispqd.exe	76
PID 2212 set thread context of 2364	2212	wmispqd.exe	78
PID 664 set thread context of 1868	664	wmispqd.exe	80
PID 536 set thread context of 1788	536	wmispqd.exe	82
PID 2288 set thread context of 1348	2288	wmispqd.exe	84
PID 2400 set thread context of 2232	2400	wmispqd.exe	88
PID 1588 set thread context of 2144	1588	wmispqd.exe	90
PID 2580 set thread context of 2576	2580	wmispqd.exe	92
PID 1796 set thread context of 2184	1796	wmispqd.exe	94
PID 2824 set thread context of 2680	2824	wmispqd.exe	96
PID 1216 set thread context of 2340	1216	wmispqd.exe	98
PID 1820 set thread context of 2212	1820	wmispqd.exe	100
PID 992 set thread context of 2688	992	wmispqd.exe	102
PID 3060 set thread context of 1020	3060	wmispqd.exe	104
PID 592 set thread context of 1652	592	wmispqd.exe	106
PID 2328 set thread context of 1752	2328	wmispqd.exe	108
PID 2384 set thread context of 1588	2384	wmispqd.exe	110
PID 2792 set thread context of 2608	2792	wmispqd.exe	112
PID 2548 set thread context of 2452	2548	wmispqd.exe	114
PID 2592 set thread context of 2764	2592	wmispqd.exe	116
PID 1332 set thread context of 1560	1332	wmispqd.exe	118
PID 2132 set thread context of 2064	2132	wmispqd.exe	120
PID 2888 set thread context of 3052	2888	wmispqd.exe	122
PID 2108 set thread context of 1908	2108	wmispqd.exe	124
PID 3068 set thread context of 892	3068	wmispqd.exe	126
PID 1604 set thread context of 1736	1604	wmispqd.exe	128
PID 2716 set thread context of 2384	2716	wmispqd.exe	130
PID 2676 set thread context of 2480	2676	wmispqd.exe	132
PID 1792 set thread context of 1616	1792	wmispqd.exe	134
PID 2776 set thread context of 1644	2776	wmispqd.exe	136
PID 2424 set thread context of 1292	2424	wmispqd.exe	138
PID 1108 set thread context of 2276	1108	wmispqd.exe	140
PID 2872 set thread context of 1640	2872	wmispqd.exe	142
PID 2224 set thread context of 568	2224	wmispqd.exe	144
PID 2796 set thread context of 880	2796	wmispqd.exe	146
PID 2628 set thread context of 2136	2628	wmispqd.exe	148
PID 1956 set thread context of 2460	1956	wmispqd.exe	150
PID 2740 set thread context of 2556	2740	wmispqd.exe	152
PID 1936 set thread context of 2752	1936	wmispqd.exe	154
PID 2592 set thread context of 1660	2592	wmispqd.exe	156

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	c0e5c2b62d47728b11de9bbd9411f287.exe
2600	wmispqd.exe
2976	wmispqd.exe
2636	wmispqd.exe
1808	wmispqd.exe
1284	wmispqd.exe
1492	wmispqd.exe
2104	wmispqd.exe
912	wmispqd.exe
2952	wmispqd.exe
1408	wmispqd.exe
2728	wmispqd.exe
2508	wmispqd.exe
1832	wmispqd.exe
760	wmispqd.exe
2280	wmispqd.exe
1484	wmispqd.exe
2156	wmispqd.exe
1732	wmispqd.exe
2448	wmispqd.exe
2540	wmispqd.exe
2804	wmispqd.exe
2168	wmispqd.exe
2936	wmispqd.exe
1816	wmispqd.exe
2364	wmispqd.exe
1868	wmispqd.exe
1788	wmispqd.exe
1348	wmispqd.exe
2232	wmispqd.exe
2144	wmispqd.exe
2576	wmispqd.exe
2184	wmispqd.exe
2680	wmispqd.exe
2340	wmispqd.exe
2212	wmispqd.exe
2688	wmispqd.exe
1020	wmispqd.exe
1652	wmispqd.exe
1752	wmispqd.exe
1588	wmispqd.exe
2608	wmispqd.exe
2452	wmispqd.exe
2764	wmispqd.exe
1560	wmispqd.exe
2064	wmispqd.exe
3052	wmispqd.exe
1908	wmispqd.exe
892	wmispqd.exe
2384	wmispqd.exe
2480	wmispqd.exe
1616	wmispqd.exe
1644	wmispqd.exe
1292	wmispqd.exe
2276	wmispqd.exe
1640	wmispqd.exe
568	wmispqd.exe
880	wmispqd.exe
2136	wmispqd.exe
2460	wmispqd.exe
2556	wmispqd.exe
2752	wmispqd.exe
1660	wmispqd.exe
2088	wmispqd.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2356	c0e5c2b62d47728b11de9bbd9411f287.exe
2588	wmispqd.exe
2492	wmispqd.exe
2680	wmispqd.exe
760	wmispqd.exe
1544	wmispqd.exe
536	wmispqd.exe
1908	wmispqd.exe
840	wmispqd.exe
2800	wmispqd.exe
1412	wmispqd.exe
2456	wmispqd.exe
2948	wmispqd.exe
1192	wmispqd.exe
2912	wmispqd.exe
1868	wmispqd.exe
1164	wmispqd.exe
2416	wmispqd.exe
1624	wmispqd.exe
1700	wmispqd.exe
2356	wmispqd.exe
2732	wmispqd.exe
2440	wmispqd.exe
2648	wmispqd.exe
2240	wmispqd.exe
2212	wmispqd.exe
664	wmispqd.exe
536	wmispqd.exe
2288	wmispqd.exe
2400	wmispqd.exe
1588	wmispqd.exe
2580	wmispqd.exe
1796	wmispqd.exe
2824	wmispqd.exe
1216	wmispqd.exe
1820	wmispqd.exe
992	wmispqd.exe
3060	wmispqd.exe
592	wmispqd.exe
2328	wmispqd.exe
2384	wmispqd.exe
2792	wmispqd.exe
2548	wmispqd.exe
2592	wmispqd.exe
1332	wmispqd.exe
2132	wmispqd.exe
2888	wmispqd.exe
2108	wmispqd.exe
3068	wmispqd.exe
1604	wmispqd.exe
2716	wmispqd.exe
2676	wmispqd.exe
1792	wmispqd.exe
2776	wmispqd.exe
2424	wmispqd.exe
1108	wmispqd.exe
2872	wmispqd.exe
2224	wmispqd.exe
2796	wmispqd.exe
2628	wmispqd.exe
1956	wmispqd.exe
2740	wmispqd.exe
1936	wmispqd.exe
2592	wmispqd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 2356 wrote to memory of 3048	2356	c0e5c2b62d47728b11de9bbd9411f287.exe	28
PID 3048 wrote to memory of 2588	3048	c0e5c2b62d47728b11de9bbd9411f287.exe	29
PID 3048 wrote to memory of 2588	3048	c0e5c2b62d47728b11de9bbd9411f287.exe	29
PID 3048 wrote to memory of 2588	3048	c0e5c2b62d47728b11de9bbd9411f287.exe	29
PID 3048 wrote to memory of 2588	3048	c0e5c2b62d47728b11de9bbd9411f287.exe	29
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2588 wrote to memory of 2600	2588	wmispqd.exe	30
PID 2600 wrote to memory of 2492	2600	wmispqd.exe	31
PID 2600 wrote to memory of 2492	2600	wmispqd.exe	31
PID 2600 wrote to memory of 2492	2600	wmispqd.exe	31
PID 2600 wrote to memory of 2492	2600	wmispqd.exe	31
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2492 wrote to memory of 2976	2492	wmispqd.exe	32
PID 2976 wrote to memory of 2680	2976	wmispqd.exe	33
PID 2976 wrote to memory of 2680	2976	wmispqd.exe	33
PID 2976 wrote to memory of 2680	2976	wmispqd.exe	33
PID 2976 wrote to memory of 2680	2976	wmispqd.exe	33
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2680 wrote to memory of 2636	2680	wmispqd.exe	34
PID 2636 wrote to memory of 760	2636	wmispqd.exe	35
PID 2636 wrote to memory of 760	2636	wmispqd.exe	35
PID 2636 wrote to memory of 760	2636	wmispqd.exe	35
PID 2636 wrote to memory of 760	2636	wmispqd.exe	35
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 760 wrote to memory of 1808	760	wmispqd.exe	36
PID 1808 wrote to memory of 1544	1808	wmispqd.exe	37
PID 1808 wrote to memory of 1544	1808	wmispqd.exe	37
PID 1808 wrote to memory of 1544	1808	wmispqd.exe	37
PID 1808 wrote to memory of 1544	1808	wmispqd.exe	37
PID 1544 wrote to memory of 1284	1544	wmispqd.exe	38
PID 1544 wrote to memory of 1284	1544	wmispqd.exe	38
PID 1544 wrote to memory of 1284	1544	wmispqd.exe	38
PID 1544 wrote to memory of 1284	1544	wmispqd.exe	38

C:\Users\Admin\AppData\Local\Temp\c0e5c2b62d47728b11de9bbd9411f287.exe
"C:\Users\Admin\AppData\Local\Temp\c0e5c2b62d47728b11de9bbd9411f287.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\c0e5c2b62d47728b11de9bbd9411f287.exe
  C:\Users\Admin\AppData\Local\Temp\c0e5c2b62d47728b11de9bbd9411f287.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\wmispqd.exe
    "C:\Windows\system32\wmispqd.exe" C:\Users\Admin\AppData\Local\Temp\C0E5C2~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\wmispqd.exe
      C:\Windows\SysWOW64\wmispqd.exe C:\Users\Admin\AppData\Local\Temp\C0E5C2~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2144
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        68⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        70⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        71⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        72⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        74⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        76⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        78⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        82⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        84⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        86⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        88⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        90⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        92⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        94⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        96⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        98⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        99⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        100⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        101⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        102⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        104⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        106⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        108⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        109⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        110⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1292
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        111⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        112⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        114⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        116⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        117⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        118⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        120⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        121⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        122⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        124⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        125⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        126⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        128⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        129⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        130⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        131⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        132⤵
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        133⤵
        
        PID:448
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        134⤵
        
        PID:408
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        135⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        136⤵
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        137⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        138⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        139⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        140⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        141⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        142⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        143⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        144⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        145⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        146⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        147⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        148⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        149⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        150⤵
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        151⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        152⤵
        
        PID:684
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        153⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        154⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        155⤵
        
        PID:664
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        156⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        157⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        158⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        159⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        160⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        161⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        162⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        163⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        164⤵
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        165⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        166⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        167⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        168⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        169⤵
        
        PID:580
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        170⤵
        
        PID:632
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        171⤵
        
        PID:576
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        172⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        173⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        174⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        175⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        176⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        "C:\Windows\system32\wmispqd.exe" C:\Windows\SysWOW64\wmispqd.exe
        177⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\wmispqd.exe
        
        C:\Windows\SysWOW64\wmispqd.exe C:\Windows\SysWOW64\wmispqd.exe
        178⤵
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmispqd.exe

Filesize
232KB

MD5
c0e5c2b62d47728b11de9bbd9411f287

SHA1
a95e8de5f747018729f10bd29c8105382952d8da

SHA256
8c0b64250cc45b6355e000c19f84277ed36c82db1ee2a7a0b1b7b61715f637c8

SHA512
f87ea7ece09df6d2652cd566fbeb3b37d8277e8edd0d1ec8a5cfbd969261105447a95ea874a1a0b167539b445f6964edb4bacd70b8b5caa46134f12333aa68a7

Download Submit
C:\Windows\SysWOW64\wmispqd.exe

Filesize
128KB

MD5
031472646f6b93b7381f08758002374b

SHA1
dc0fc53fefc5b21d7027ad7b0ae215acb02de5f5

SHA256
b05492b94537d9af1eb2630ae58a76423f71320b3a60e5a56d284ccff699f45d

SHA512
a63bf61deb78d5bb222bc41b8bff398299551670af1d4529423412f219925f3c0f30a8da8131c324b54ef73eb20e50de1b6e1ad315f8b4251d2aa9b0fff0a2bc

Download Submit
memory/536-166-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/760-395-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/760-112-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/760-399-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/840-220-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/912-236-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/912-245-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1164-426-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1192-354-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1284-165-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1284-154-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1284-157-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1408-289-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1408-297-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1408-286-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1412-270-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1484-446-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1484-442-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1484-440-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-185-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-193-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1492-182-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-139-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1624-472-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1732-487-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1808-127-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1808-130-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1808-137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-379-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-373-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-370-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1868-403-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1908-194-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2104-208-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2104-219-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2104-211-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2156-466-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2156-463-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2156-470-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2280-422-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2280-418-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2280-417-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2356-4-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2416-450-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2456-300-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2492-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2508-344-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2508-353-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2588-32-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2600-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-49-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-52-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-51-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-50-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2636-102-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2636-111-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2636-99-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-88-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2728-325-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2728-317-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2728-316-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2912-380-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2948-329-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2952-268-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2952-260-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2976-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2976-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2976-73-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-9-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-16-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-17-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-28-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download