metasploit | e8d610e3f2e1f74709b0ebd886acd017fd5d48fee94f50f04c3cab128ce3a345

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
Size

214KB
MD5

c59d6896224266655faa7bdf6478ff08
SHA1

2453856bada31197671ce8d5c845169a185eb604
SHA256

e8d610e3f2e1f74709b0ebd886acd017fd5d48fee94f50f04c3cab128ce3a345
SHA512

6fe92cce102070e7b874f6d6405c6f9ae789f3bc083fc378905dd0517f0bf0779c48c0609facd5cd252653b6a2a55e27459b1a55caa275d73d6dfe5d9e131ede
SSDEEP

6144:JoW05D1fPM203JEIyCk4v9XeYQGpKBZsyYVJ1Fz:Jo/ZP03JEnfJYQkK9EJnz

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmitkfk.exe

Deletes itself 1 IoCs

pid	Process
4464	wmitkfk.exe

Executes dropped EXE 64 IoCs

pid	Process
3012	wmitkfk.exe
4464	wmitkfk.exe
4892	wmitkfk.exe
3716	wmitkfk.exe
4960	wmitkfk.exe
4648	wmitkfk.exe
1140	wmitkfk.exe
4768	wmitkfk.exe
3964	wmitkfk.exe
2928	wmitkfk.exe
2264	wmitkfk.exe
1156	wmitkfk.exe
2456	wmitkfk.exe
4092	wmitkfk.exe
1904	wmitkfk.exe
4952	wmitkfk.exe
3440	wmitkfk.exe
4568	wmitkfk.exe
3700	wmitkfk.exe
556	wmitkfk.exe
1840	wmitkfk.exe
3256	wmitkfk.exe
3660	wmitkfk.exe
1580	wmitkfk.exe
744	wmitkfk.exe
2444	wmitkfk.exe
4588	wmitkfk.exe
4804	wmitkfk.exe
4232	wmitkfk.exe
2560	wmitkfk.exe
1328	wmitkfk.exe
2044	wmitkfk.exe
1464	wmitkfk.exe
2472	wmitkfk.exe
2872	wmitkfk.exe
1044	wmitkfk.exe
112	wmitkfk.exe
5028	wmitkfk.exe
2772	wmitkfk.exe
972	wmitkfk.exe
4168	wmitkfk.exe
64	wmitkfk.exe
3540	wmitkfk.exe
4988	wmitkfk.exe
4384	wmitkfk.exe
3508	wmitkfk.exe
1456	wmitkfk.exe
2156	wmitkfk.exe
3012	wmitkfk.exe
4660	wmitkfk.exe
1528	wmitkfk.exe
4588	wmitkfk.exe
3152	wmitkfk.exe
4960	wmitkfk.exe
1140	wmitkfk.exe
3192	wmitkfk.exe
1508	wmitkfk.exe
3348	wmitkfk.exe
3568	wmitkfk.exe
4264	wmitkfk.exe
4784	wmitkfk.exe
924	wmitkfk.exe
1568	wmitkfk.exe
512	wmitkfk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File created	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe
File opened for modification	C:\Windows\SysWOW64\wmitkfk.exe	wmitkfk.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 3012 set thread context of 4464	3012	wmitkfk.exe	86
PID 4892 set thread context of 3716	4892	wmitkfk.exe	88
PID 4960 set thread context of 4648	4960	wmitkfk.exe	91
PID 1140 set thread context of 4768	1140	wmitkfk.exe	93
PID 3964 set thread context of 2928	3964	wmitkfk.exe	95
PID 2264 set thread context of 1156	2264	wmitkfk.exe	97
PID 2456 set thread context of 4092	2456	wmitkfk.exe	104
PID 1904 set thread context of 4952	1904	wmitkfk.exe	107
PID 3440 set thread context of 4568	3440	wmitkfk.exe	111
PID 3700 set thread context of 556	3700	wmitkfk.exe	113
PID 1840 set thread context of 3256	1840	wmitkfk.exe	119
PID 3660 set thread context of 1580	3660	wmitkfk.exe	121
PID 744 set thread context of 2444	744	wmitkfk.exe	123
PID 4588 set thread context of 4804	4588	wmitkfk.exe	125
PID 4232 set thread context of 2560	4232	wmitkfk.exe	127
PID 1328 set thread context of 2044	1328	wmitkfk.exe	129
PID 1464 set thread context of 2472	1464	wmitkfk.exe	131
PID 2872 set thread context of 1044	2872	wmitkfk.exe	133
PID 112 set thread context of 5028	112	wmitkfk.exe	137
PID 2772 set thread context of 972	2772	wmitkfk.exe	140
PID 4168 set thread context of 64	4168	wmitkfk.exe	142
PID 3540 set thread context of 4988	3540	wmitkfk.exe	144
PID 4384 set thread context of 3508	4384	wmitkfk.exe	146
PID 1456 set thread context of 2156	1456	wmitkfk.exe	148
PID 3012 set thread context of 4660	3012	wmitkfk.exe	150
PID 1528 set thread context of 4588	1528	wmitkfk.exe	152
PID 3152 set thread context of 4960	3152	wmitkfk.exe	154
PID 1140 set thread context of 3192	1140	wmitkfk.exe	156
PID 1508 set thread context of 3348	1508	wmitkfk.exe	158
PID 3568 set thread context of 4264	3568	wmitkfk.exe	160
PID 4784 set thread context of 924	4784	wmitkfk.exe	162
PID 1568 set thread context of 512	1568	wmitkfk.exe	164
PID 3632 set thread context of 1076	3632	wmitkfk.exe	166
PID 2572 set thread context of 2124	2572	wmitkfk.exe	168
PID 4980 set thread context of 4748	4980	wmitkfk.exe	170
PID 4544 set thread context of 544	4544	wmitkfk.exe	172
PID 4488 set thread context of 3332	4488	wmitkfk.exe	174
PID 1504 set thread context of 4616	1504	wmitkfk.exe	177
PID 184 set thread context of 1972	184	wmitkfk.exe	179
PID 2852 set thread context of 4232	2852	wmitkfk.exe	181
PID 3980 set thread context of 2588	3980	wmitkfk.exe	183
PID 3000 set thread context of 936	3000	wmitkfk.exe	185
PID 1524 set thread context of 1804	1524	wmitkfk.exe	187
PID 4996 set thread context of 2548	4996	wmitkfk.exe	189
PID 3956 set thread context of 1808	3956	wmitkfk.exe	191
PID 468 set thread context of 2912	468	wmitkfk.exe	193
PID 2572 set thread context of 3908	2572	wmitkfk.exe	195
PID 1908 set thread context of 2820	1908	wmitkfk.exe	197
PID 3620 set thread context of 2668	3620	wmitkfk.exe	199
PID 2552 set thread context of 3056	2552	wmitkfk.exe	201
PID 3464 set thread context of 2688	3464	wmitkfk.exe	203
PID 3012 set thread context of 3176	3012	wmitkfk.exe	205
PID 2332 set thread context of 1780	2332	wmitkfk.exe	207
PID 3868 set thread context of 2040	3868	wmitkfk.exe	209
PID 4060 set thread context of 636	4060	wmitkfk.exe	211
PID 3848 set thread context of 4132	3848	wmitkfk.exe	213
PID 2456 set thread context of 1976	2456	wmitkfk.exe	215
PID 368 set thread context of 4176	368	wmitkfk.exe	217
PID 264 set thread context of 3592	264	wmitkfk.exe	219
PID 2068 set thread context of 1428	2068	wmitkfk.exe	221
PID 784 set thread context of 1052	784	wmitkfk.exe	223
PID 2356 set thread context of 1968	2356	wmitkfk.exe	225
PID 4964 set thread context of 4076	4964	wmitkfk.exe	227

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1540-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1540-2-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1540-4-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1540-3-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1540-38-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4464-45-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4464-46-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3716-52-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3716-54-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4648-61-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4768-69-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2928-76-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1156-81-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1156-86-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4092-92-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4952-97-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4952-101-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4568-109-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/556-116-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3256-123-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1580-133-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2444-141-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4804-149-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2560-157-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2044-162-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2044-167-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2472-175-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1044-180-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1044-185-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5028-193-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/972-201-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/64-210-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4988-218-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3508-222-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3508-227-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2156-233-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4660-239-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4588-245-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4960-251-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3192-257-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3348-263-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4264-269-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/924-275-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/512-281-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1076-287-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2124-293-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4748-299-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/544-305-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3332-311-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4616-317-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1972-323-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4232-329-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2588-335-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/936-341-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1804-347-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2548-353-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1808-359-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2912-365-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3908-371-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2820-377-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2668-383-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3056-389-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2688-395-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3176-401-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmitkfk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmitkfk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
1540	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
4464	wmitkfk.exe
4464	wmitkfk.exe
3716	wmitkfk.exe
3716	wmitkfk.exe
4648	wmitkfk.exe
4648	wmitkfk.exe
4768	wmitkfk.exe
4768	wmitkfk.exe
2928	wmitkfk.exe
2928	wmitkfk.exe
1156	wmitkfk.exe
1156	wmitkfk.exe
4092	wmitkfk.exe
4092	wmitkfk.exe
4952	wmitkfk.exe
4952	wmitkfk.exe
4568	wmitkfk.exe
4568	wmitkfk.exe
556	wmitkfk.exe
556	wmitkfk.exe
3256	wmitkfk.exe
3256	wmitkfk.exe
1580	wmitkfk.exe
1580	wmitkfk.exe
2444	wmitkfk.exe
2444	wmitkfk.exe
4804	wmitkfk.exe
4804	wmitkfk.exe
2560	wmitkfk.exe
2560	wmitkfk.exe
2044	wmitkfk.exe
2044	wmitkfk.exe
2472	wmitkfk.exe
2472	wmitkfk.exe
1044	wmitkfk.exe
1044	wmitkfk.exe
5028	wmitkfk.exe
5028	wmitkfk.exe
972	wmitkfk.exe
972	wmitkfk.exe
64	wmitkfk.exe
64	wmitkfk.exe
4988	wmitkfk.exe
4988	wmitkfk.exe
3508	wmitkfk.exe
3508	wmitkfk.exe
2156	wmitkfk.exe
2156	wmitkfk.exe
4660	wmitkfk.exe
4660	wmitkfk.exe
4588	wmitkfk.exe
4588	wmitkfk.exe
4960	wmitkfk.exe
4960	wmitkfk.exe
3192	wmitkfk.exe
3192	wmitkfk.exe
3348	wmitkfk.exe
3348	wmitkfk.exe
4264	wmitkfk.exe
4264	wmitkfk.exe
924	wmitkfk.exe
924	wmitkfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 2916 wrote to memory of 1540	2916	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	84
PID 1540 wrote to memory of 3012	1540	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	85
PID 1540 wrote to memory of 3012	1540	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	85
PID 1540 wrote to memory of 3012	1540	c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe	85
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 3012 wrote to memory of 4464	3012	wmitkfk.exe	86
PID 4464 wrote to memory of 4892	4464	wmitkfk.exe	87
PID 4464 wrote to memory of 4892	4464	wmitkfk.exe	87
PID 4464 wrote to memory of 4892	4464	wmitkfk.exe	87
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 4892 wrote to memory of 3716	4892	wmitkfk.exe	88
PID 3716 wrote to memory of 4960	3716	wmitkfk.exe	90
PID 3716 wrote to memory of 4960	3716	wmitkfk.exe	90
PID 3716 wrote to memory of 4960	3716	wmitkfk.exe	90
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4960 wrote to memory of 4648	4960	wmitkfk.exe	91
PID 4648 wrote to memory of 1140	4648	wmitkfk.exe	92
PID 4648 wrote to memory of 1140	4648	wmitkfk.exe	92
PID 4648 wrote to memory of 1140	4648	wmitkfk.exe	92
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 1140 wrote to memory of 4768	1140	wmitkfk.exe	93
PID 4768 wrote to memory of 3964	4768	wmitkfk.exe	94
PID 4768 wrote to memory of 3964	4768	wmitkfk.exe	94
PID 4768 wrote to memory of 3964	4768	wmitkfk.exe	94
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 3964 wrote to memory of 2928	3964	wmitkfk.exe	95
PID 2928 wrote to memory of 2264	2928	wmitkfk.exe	96
PID 2928 wrote to memory of 2264	2928	wmitkfk.exe	96
PID 2928 wrote to memory of 2264	2928	wmitkfk.exe	96
PID 2264 wrote to memory of 1156	2264	wmitkfk.exe	97
PID 2264 wrote to memory of 1156	2264	wmitkfk.exe	97
PID 2264 wrote to memory of 1156	2264	wmitkfk.exe	97
PID 2264 wrote to memory of 1156	2264	wmitkfk.exe	97

C:\Users\Admin\AppData\Local\Temp\c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c59d6896224266655faa7bdf6478ff08_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\wmitkfk.exe
    "C:\Windows\system32\wmitkfk.exe" C:\Users\Admin\AppData\Local\Temp\C59D68~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\wmitkfk.exe
      "C:\Windows\SysWOW64\wmitkfk.exe" C:\Users\Admin\AppData\Local\Temp\C59D68~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2456
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1904
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3440
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1840
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3660
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:744
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4232
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1328
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1464
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2872
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:112
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:972
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:64
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3540
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4384
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1456
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3012
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3152
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4960
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1140
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3192
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1508
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3348
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3568
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1568
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3632
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4980
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        72⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:4544
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        74⤵
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:4488
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1504
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        79⤵
        Suspicious use of SetThreadContext
        
        PID:184
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        81⤵
        Suspicious use of SetThreadContext
        
        PID:2852
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:3980
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        85⤵
        Suspicious use of SetThreadContext
        
        PID:3000
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1524
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        91⤵
        Suspicious use of SetThreadContext
        
        PID:3956
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        92⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        93⤵
        Suspicious use of SetThreadContext
        
        PID:468
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        94⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        95⤵
        Suspicious use of SetThreadContext
        
        PID:2572
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1908
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2552
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        105⤵
        Suspicious use of SetThreadContext
        
        PID:3012
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        107⤵
        Suspicious use of SetThreadContext
        
        PID:2332
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        108⤵
        Checks computer location settings
        
        PID:1780
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        111⤵
        Suspicious use of SetThreadContext
        
        PID:4060
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        112⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        113⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2456
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        116⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        117⤵
        Suspicious use of SetThreadContext
        
        PID:368
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        118⤵
        Checks computer location settings
        
        PID:4176
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        119⤵
        Suspicious use of SetThreadContext
        
        PID:264
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        120⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        121⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        122⤵
        Checks computer location settings
        
        PID:1428
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        123⤵
        Suspicious use of SetThreadContext
        
        PID:784
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        126⤵
        Checks computer location settings
        
        PID:1968
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        127⤵
        Suspicious use of SetThreadContext
        
        PID:4964
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        128⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        129⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        131⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        133⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        134⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        135⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        137⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        139⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        141⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        142⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        143⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        144⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        145⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        146⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        147⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        150⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        152⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        153⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        154⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        156⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        157⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        158⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        160⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        162⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        163⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        164⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        165⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        167⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        168⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        169⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        170⤵
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        172⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        174⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        175⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        176⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\system32\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        177⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\wmitkfk.exe
        
        "C:\Windows\SysWOW64\wmitkfk.exe" C:\Windows\SysWOW64\wmitkfk.exe
        178⤵
        Drops file in System32 directory
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmitkfk.exe

Filesize
214KB

MD5
c59d6896224266655faa7bdf6478ff08

SHA1
2453856bada31197671ce8d5c845169a185eb604

SHA256
e8d610e3f2e1f74709b0ebd886acd017fd5d48fee94f50f04c3cab128ce3a345

SHA512
6fe92cce102070e7b874f6d6405c6f9ae789f3bc083fc378905dd0517f0bf0779c48c0609facd5cd252653b6a2a55e27459b1a55caa275d73d6dfe5d9e131ede

Download Submit
memory/64-210-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/320-515-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/512-281-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/544-305-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/552-587-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/556-116-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/636-419-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/772-563-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/924-275-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/936-341-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/972-201-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1044-185-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1044-180-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1052-455-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1076-287-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1156-81-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1156-86-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1396-527-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1428-449-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-38-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1540-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1580-133-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1628-485-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1692-581-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1780-407-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1804-347-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1808-359-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1968-461-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1972-323-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1976-431-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2040-413-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-167-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-162-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2124-293-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2156-539-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2156-233-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2356-557-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2444-141-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2472-175-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2488-521-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2548-353-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2560-157-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2588-335-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2668-383-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2688-395-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2820-377-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2852-605-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2872-503-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2912-365-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2928-76-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3032-497-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3056-389-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3092-509-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3176-401-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3192-257-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3256-123-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3332-311-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3348-263-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3508-227-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3508-222-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3592-443-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3620-569-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3632-551-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3716-54-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3716-52-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3824-545-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3908-371-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4076-467-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4092-92-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4132-425-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4176-437-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4180-491-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4200-611-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4232-329-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4264-269-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4272-533-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4420-575-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4464-46-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4464-45-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4568-109-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4588-245-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4616-317-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4648-61-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4660-239-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4680-593-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4748-299-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4768-69-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4804-149-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4812-479-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4816-599-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4860-473-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4952-97-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4952-101-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4960-251-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4988-218-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5028-193-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download