metasploit | ed817bdcb48adc2f8fd16ce462bf53d634ac326f5cf2545beeaa07bcb08b239f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
Size

267KB
MD5

daa4c6bec7172d8ac999a9fce4dabe93
SHA1

4f965013d1497c6767dd7fbd230b262228bf2b0b
SHA256

ed817bdcb48adc2f8fd16ce462bf53d634ac326f5cf2545beeaa07bcb08b239f
SHA512

74aa037f2f89e4aa8495b771fca2e04189c70ecf3f960e7da802ded52de645246b4877bd65907584970bc3cb7883182c3d09bf788b45d695456ed60732412e54
SSDEEP

6144:WV+RtpxaqIgasEnawhJpuTB2sT2wyLCx0F1cL+I5:mAaawPpBw4g9L

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wmisxjg.exe

Deletes itself 1 IoCs

pid	Process
4704	wmisxjg.exe

Executes dropped EXE 64 IoCs

pid	Process
4824	wmisxjg.exe
4704	wmisxjg.exe
3516	wmisxjg.exe
3800	wmisxjg.exe
1064	wmisxjg.exe
704	wmisxjg.exe
3500	wmisxjg.exe
4376	wmisxjg.exe
1772	wmisxjg.exe
2128	wmisxjg.exe
1672	wmisxjg.exe
4240	wmisxjg.exe
540	wmisxjg.exe
1964	wmisxjg.exe
2960	wmisxjg.exe
2052	wmisxjg.exe
3164	wmisxjg.exe
544	wmisxjg.exe
1080	wmisxjg.exe
3036	wmisxjg.exe
3456	wmisxjg.exe
4064	wmisxjg.exe
1864	wmisxjg.exe
3584	wmisxjg.exe
2644	wmisxjg.exe
4032	wmisxjg.exe
3552	wmisxjg.exe
4852	wmisxjg.exe
4152	wmisxjg.exe
2064	wmisxjg.exe
4092	wmisxjg.exe
2352	wmisxjg.exe
5092	wmisxjg.exe
2624	wmisxjg.exe
2264	wmisxjg.exe
2720	wmisxjg.exe
552	wmisxjg.exe
1496	wmisxjg.exe
4680	wmisxjg.exe
2992	wmisxjg.exe
472	wmisxjg.exe
4844	wmisxjg.exe
1868	wmisxjg.exe
4344	wmisxjg.exe
5052	wmisxjg.exe
804	wmisxjg.exe
1424	wmisxjg.exe
3972	wmisxjg.exe
800	wmisxjg.exe
860	wmisxjg.exe
5044	wmisxjg.exe
1188	wmisxjg.exe
2688	wmisxjg.exe
5080	wmisxjg.exe
4084	wmisxjg.exe
1436	wmisxjg.exe
4372	wmisxjg.exe
2244	wmisxjg.exe
3660	wmisxjg.exe
2004	wmisxjg.exe
1760	wmisxjg.exe
2124	wmisxjg.exe
3540	wmisxjg.exe
2268	wmisxjg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File opened for modification	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe
File created	C:\Windows\SysWOW64\wmisxjg.exe	wmisxjg.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3268 set thread context of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 4824 set thread context of 4704	4824	wmisxjg.exe	85
PID 3516 set thread context of 3800	3516	wmisxjg.exe	87
PID 1064 set thread context of 704	1064	wmisxjg.exe	90
PID 3500 set thread context of 4376	3500	wmisxjg.exe	92
PID 1772 set thread context of 2128	1772	wmisxjg.exe	94
PID 1672 set thread context of 4240	1672	wmisxjg.exe	96
PID 540 set thread context of 1964	540	wmisxjg.exe	98
PID 2960 set thread context of 2052	2960	wmisxjg.exe	100
PID 3164 set thread context of 544	3164	wmisxjg.exe	104
PID 1080 set thread context of 3036	1080	wmisxjg.exe	110
PID 1864 set thread context of 3584	1864	wmisxjg.exe	116
PID 2644 set thread context of 4032	2644	wmisxjg.exe	118
PID 3552 set thread context of 4852	3552	wmisxjg.exe	124
PID 4152 set thread context of 2064	4152	wmisxjg.exe	126
PID 4092 set thread context of 2352	4092	wmisxjg.exe	128
PID 5092 set thread context of 2624	5092	wmisxjg.exe	130
PID 2264 set thread context of 2720	2264	wmisxjg.exe	133
PID 552 set thread context of 1496	552	wmisxjg.exe	136
PID 4680 set thread context of 2992	4680	wmisxjg.exe	139
PID 472 set thread context of 4844	472	wmisxjg.exe	141
PID 1868 set thread context of 4344	1868	wmisxjg.exe	143
PID 5052 set thread context of 804	5052	wmisxjg.exe	145
PID 1424 set thread context of 3972	1424	wmisxjg.exe	147
PID 800 set thread context of 860	800	wmisxjg.exe	149
PID 5044 set thread context of 1188	5044	wmisxjg.exe	151
PID 2688 set thread context of 5080	2688	wmisxjg.exe	153
PID 4084 set thread context of 1436	4084	wmisxjg.exe	155
PID 4372 set thread context of 2244	4372	wmisxjg.exe	157
PID 3660 set thread context of 2004	3660	wmisxjg.exe	159
PID 1760 set thread context of 2124	1760	wmisxjg.exe	161
PID 3540 set thread context of 2268	3540	wmisxjg.exe	163
PID 1728 set thread context of 4860	1728	wmisxjg.exe	165
PID 4988 set thread context of 1204	4988	wmisxjg.exe	167
PID 3920 set thread context of 1444	3920	wmisxjg.exe	169
PID 4456 set thread context of 1920	4456	wmisxjg.exe	171
PID 2692 set thread context of 3268	2692	wmisxjg.exe	174
PID 224 set thread context of 4948	224	wmisxjg.exe	176
PID 2964 set thread context of 1580	2964	wmisxjg.exe	178
PID 3876 set thread context of 4812	3876	wmisxjg.exe	180
PID 3120 set thread context of 2892	3120	wmisxjg.exe	182
PID 1844 set thread context of 3032	1844	wmisxjg.exe	184
PID 4756 set thread context of 3664	4756	wmisxjg.exe	186
PID 4992 set thread context of 2948	4992	wmisxjg.exe	188
PID 3000 set thread context of 3124	3000	wmisxjg.exe	190
PID 2608 set thread context of 392	2608	wmisxjg.exe	192
PID 4388 set thread context of 4492	4388	wmisxjg.exe	194
PID 1616 set thread context of 552	1616	wmisxjg.exe	196
PID 4988 set thread context of 812	4988	wmisxjg.exe	198
PID 2344 set thread context of 4288	2344	wmisxjg.exe	200
PID 1080 set thread context of 2404	1080	wmisxjg.exe	202
PID 2496 set thread context of 1312	2496	wmisxjg.exe	204
PID 3324 set thread context of 5008	3324	wmisxjg.exe	206
PID 444 set thread context of 2432	444	wmisxjg.exe	208
PID 5072 set thread context of 3272	5072	wmisxjg.exe	210
PID 5032 set thread context of 372	5032	wmisxjg.exe	212
PID 4840 set thread context of 3084	4840	wmisxjg.exe	214
PID 2980 set thread context of 2636	2980	wmisxjg.exe	216
PID 3308 set thread context of 1624	3308	wmisxjg.exe	218
PID 4504 set thread context of 1076	4504	wmisxjg.exe	220
PID 3184 set thread context of 4040	3184	wmisxjg.exe	222
PID 640 set thread context of 3928	640	wmisxjg.exe	224
PID 3540 set thread context of 3484	3540	wmisxjg.exe	226
PID 3516 set thread context of 3788	3516	wmisxjg.exe	228

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4676-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4676-2-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4676-3-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4676-4-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4676-40-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4704-45-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4704-46-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4704-44-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4704-47-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3800-55-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/704-62-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4376-70-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2128-78-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4240-85-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1964-93-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2052-100-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/544-107-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3036-115-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4064-121-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3584-131-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4032-139-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4852-147-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2064-155-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2352-163-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2624-172-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2720-181-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1496-189-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2992-193-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2992-198-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4844-206-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4344-214-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/804-222-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3972-228-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/860-234-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1188-240-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5080-246-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1436-252-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2244-258-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2004-264-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2124-270-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2268-276-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4860-282-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1204-288-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1444-294-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1920-300-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3268-306-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4948-312-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1580-318-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4812-324-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2892-330-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3032-336-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3664-342-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2948-348-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3124-354-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/392-360-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4492-366-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/552-372-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/812-378-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/4288-384-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2404-390-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/1312-396-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/5008-402-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/2432-408-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/3272-414-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisxjg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisxjg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
4676	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
4704	wmisxjg.exe
4704	wmisxjg.exe
3800	wmisxjg.exe
3800	wmisxjg.exe
704	wmisxjg.exe
704	wmisxjg.exe
4376	wmisxjg.exe
4376	wmisxjg.exe
2128	wmisxjg.exe
2128	wmisxjg.exe
4240	wmisxjg.exe
4240	wmisxjg.exe
1964	wmisxjg.exe
1964	wmisxjg.exe
2052	wmisxjg.exe
2052	wmisxjg.exe
544	wmisxjg.exe
544	wmisxjg.exe
3036	wmisxjg.exe
3036	wmisxjg.exe
4064	wmisxjg.exe
4064	wmisxjg.exe
3584	wmisxjg.exe
3584	wmisxjg.exe
4032	wmisxjg.exe
4032	wmisxjg.exe
4852	wmisxjg.exe
4852	wmisxjg.exe
2064	wmisxjg.exe
2064	wmisxjg.exe
2352	wmisxjg.exe
2352	wmisxjg.exe
2624	wmisxjg.exe
2624	wmisxjg.exe
2720	wmisxjg.exe
2720	wmisxjg.exe
1496	wmisxjg.exe
1496	wmisxjg.exe
2992	wmisxjg.exe
2992	wmisxjg.exe
4844	wmisxjg.exe
4844	wmisxjg.exe
4344	wmisxjg.exe
4344	wmisxjg.exe
804	wmisxjg.exe
804	wmisxjg.exe
3972	wmisxjg.exe
3972	wmisxjg.exe
860	wmisxjg.exe
860	wmisxjg.exe
1188	wmisxjg.exe
1188	wmisxjg.exe
5080	wmisxjg.exe
5080	wmisxjg.exe
1436	wmisxjg.exe
1436	wmisxjg.exe
2244	wmisxjg.exe
2244	wmisxjg.exe
2004	wmisxjg.exe
2004	wmisxjg.exe
2124	wmisxjg.exe
2124	wmisxjg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 3268 wrote to memory of 4676	3268	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	83
PID 4676 wrote to memory of 4824	4676	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	84
PID 4676 wrote to memory of 4824	4676	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	84
PID 4676 wrote to memory of 4824	4676	daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe	84
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4824 wrote to memory of 4704	4824	wmisxjg.exe	85
PID 4704 wrote to memory of 3516	4704	wmisxjg.exe	86
PID 4704 wrote to memory of 3516	4704	wmisxjg.exe	86
PID 4704 wrote to memory of 3516	4704	wmisxjg.exe	86
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3516 wrote to memory of 3800	3516	wmisxjg.exe	87
PID 3800 wrote to memory of 1064	3800	wmisxjg.exe	89
PID 3800 wrote to memory of 1064	3800	wmisxjg.exe	89
PID 3800 wrote to memory of 1064	3800	wmisxjg.exe	89
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 1064 wrote to memory of 704	1064	wmisxjg.exe	90
PID 704 wrote to memory of 3500	704	wmisxjg.exe	91
PID 704 wrote to memory of 3500	704	wmisxjg.exe	91
PID 704 wrote to memory of 3500	704	wmisxjg.exe	91
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 3500 wrote to memory of 4376	3500	wmisxjg.exe	92
PID 4376 wrote to memory of 1772	4376	wmisxjg.exe	93
PID 4376 wrote to memory of 1772	4376	wmisxjg.exe	93
PID 4376 wrote to memory of 1772	4376	wmisxjg.exe	93
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 1772 wrote to memory of 2128	1772	wmisxjg.exe	94
PID 2128 wrote to memory of 1672	2128	wmisxjg.exe	95
PID 2128 wrote to memory of 1672	2128	wmisxjg.exe	95
PID 2128 wrote to memory of 1672	2128	wmisxjg.exe	95
PID 1672 wrote to memory of 4240	1672	wmisxjg.exe	96
PID 1672 wrote to memory of 4240	1672	wmisxjg.exe	96
PID 1672 wrote to memory of 4240	1672	wmisxjg.exe	96
PID 1672 wrote to memory of 4240	1672	wmisxjg.exe	96

C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\wmisxjg.exe
    "C:\Windows\system32\wmisxjg.exe" C:\Users\Admin\AppData\Local\Temp\DAA4C6~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\wmisxjg.exe
      "C:\Windows\SysWOW64\wmisxjg.exe" C:\Users\Admin\AppData\Local\Temp\DAA4C6~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3516
      - C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4240
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1080
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        23⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4064
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1864
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3584
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4852
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4152
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4092
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2264
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:552
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4680
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:472
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1868
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5052
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:804
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1424
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3972
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:800
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5044
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1188
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2688
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4084
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4372
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:4988
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:3920
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2692
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:224
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        81⤵
        Suspicious use of SetThreadContext
        
        PID:3876
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:3120
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        86⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        91⤵
        Suspicious use of SetThreadContext
        
        PID:3000
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        93⤵
        Suspicious use of SetThreadContext
        
        PID:2608
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        95⤵
        Suspicious use of SetThreadContext
        
        PID:4388
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1616
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2344
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        103⤵
        Suspicious use of SetThreadContext
        
        PID:1080
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        104⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        106⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        107⤵
        Suspicious use of SetThreadContext
        
        PID:3324
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        109⤵
        Suspicious use of SetThreadContext
        
        PID:444
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        111⤵
        Suspicious use of SetThreadContext
        
        PID:5072
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        112⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        113⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        114⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        116⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        118⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        120⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        121⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        123⤵
        Suspicious use of SetThreadContext
        
        PID:3184
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        124⤵
        Checks computer location settings
        
        PID:4040
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        125⤵
        Suspicious use of SetThreadContext
        
        PID:640
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        127⤵
        Suspicious use of SetThreadContext
        
        PID:3540
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        129⤵
        Suspicious use of SetThreadContext
        
        PID:3516
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        130⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        134⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        135⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        137⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        139⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        141⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        143⤵
        
        PID:536
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        144⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        145⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        147⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        148⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        150⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        151⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        153⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        154⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        155⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        156⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        157⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        158⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        159⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        161⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        162⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        163⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        164⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        165⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        170⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        171⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\wmisxjg.exe
        
        "C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe
        174⤵
        
        PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmisxjg.exe

Filesize
267KB

MD5
daa4c6bec7172d8ac999a9fce4dabe93

SHA1
4f965013d1497c6767dd7fbd230b262228bf2b0b

SHA256
ed817bdcb48adc2f8fd16ce462bf53d634ac326f5cf2545beeaa07bcb08b239f

SHA512
74aa037f2f89e4aa8495b771fca2e04189c70ecf3f960e7da802ded52de645246b4877bd65907584970bc3cb7883182c3d09bf788b45d695456ed60732412e54

Download Submit
memory/316-540-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/372-420-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/392-360-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/544-107-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/552-372-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/704-62-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/764-570-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/804-222-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/812-378-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/860-234-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1076-444-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1188-240-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1204-288-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1312-396-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1436-252-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1444-294-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1496-189-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1580-318-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1600-546-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1624-438-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-300-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1964-93-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2004-264-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2052-100-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2064-155-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2124-270-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2128-78-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2208-492-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2216-534-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2244-258-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2268-276-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2352-163-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2404-390-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2432-408-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2440-552-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2624-172-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2636-432-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2704-582-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2720-181-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2892-330-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2940-576-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2948-348-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2972-474-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2992-193-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2992-198-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3008-558-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3032-336-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3036-115-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3084-426-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3100-588-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3124-354-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3268-306-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3272-414-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3484-462-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3532-516-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3584-131-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3664-342-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3788-468-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3800-55-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3928-456-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3940-594-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3952-564-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3972-228-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4000-510-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4032-139-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4040-450-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4064-121-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4240-85-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4288-384-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4344-214-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4376-70-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4392-486-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4492-366-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4512-528-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4540-522-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4560-480-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-40-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4704-47-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4704-44-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4704-46-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4704-45-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4728-504-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4812-324-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4844-206-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4852-147-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4860-282-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4948-312-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4984-498-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5008-402-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5080-246-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download