metasploit | e1f0eafeff7232d5aa2f26b2deff354cd711c209704d8e10944cb331c1938adb

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
Size

216KB
MD5

e040c94783257f9bf033cbc20b183746
SHA1

73dc2cbf4d014d5ad837b170bfbb48f71ac9a6ab
SHA256

e1f0eafeff7232d5aa2f26b2deff354cd711c209704d8e10944cb331c1938adb
SHA512

0e915caf8b6328c09635db7c2f3a6d9aa622cc67c9b8b7bcb5e5b28cd04f3ff40790ec957e0f28bfc895ddd43325b6fa3771aea6517632dec1f18662eaa4221a
SSDEEP

6144:2dKrJbpIgAbFH5a6e6ABoI0jPgJzkzlNwWVZAMQA+YVG83:ZrJbSgAbFH5a6eqI0jPglUwW8I+YVZ3

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
1976	wmisqtl.exe

Executes dropped EXE 64 IoCs

pid	Process
2108	wmisqtl.exe
1976	wmisqtl.exe
2724	wmisqtl.exe
2552	wmisqtl.exe
1644	wmisqtl.exe
2932	wmisqtl.exe
2804	wmisqtl.exe
2052	wmisqtl.exe
1504	wmisqtl.exe
2948	wmisqtl.exe
1980	wmisqtl.exe
2432	wmisqtl.exe
2892	wmisqtl.exe
1592	wmisqtl.exe
996	wmisqtl.exe
1412	wmisqtl.exe
1596	wmisqtl.exe
2036	wmisqtl.exe
1656	wmisqtl.exe
528	wmisqtl.exe
2316	wmisqtl.exe
2340	wmisqtl.exe
2652	wmisqtl.exe
2820	wmisqtl.exe
2732	wmisqtl.exe
2616	wmisqtl.exe
1984	wmisqtl.exe
2884	wmisqtl.exe
2876	wmisqtl.exe
2648	wmisqtl.exe
2912	wmisqtl.exe
2016	wmisqtl.exe
684	wmisqtl.exe
112	wmisqtl.exe
836	wmisqtl.exe
908	wmisqtl.exe
1952	wmisqtl.exe
1716	wmisqtl.exe
1668	wmisqtl.exe
1536	wmisqtl.exe
1328	wmisqtl.exe
1096	wmisqtl.exe
2276	wmisqtl.exe
1580	wmisqtl.exe
1560	wmisqtl.exe
2352	wmisqtl.exe
2756	wmisqtl.exe
2684	wmisqtl.exe
2600	wmisqtl.exe
3044	wmisqtl.exe
2420	wmisqtl.exe
2040	wmisqtl.exe
2848	wmisqtl.exe
2916	wmisqtl.exe
1828	wmisqtl.exe
2132	wmisqtl.exe
1064	wmisqtl.exe
1604	wmisqtl.exe
2200	wmisqtl.exe
1192	wmisqtl.exe
2136	wmisqtl.exe
1752	wmisqtl.exe
2376	wmisqtl.exe
992	wmisqtl.exe

Loads dropped DLL 64 IoCs

pid	Process
1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
2108	wmisqtl.exe
1976	wmisqtl.exe
1976	wmisqtl.exe
2552	wmisqtl.exe
2552	wmisqtl.exe
2932	wmisqtl.exe
2932	wmisqtl.exe
2052	wmisqtl.exe
2052	wmisqtl.exe
2948	wmisqtl.exe
2948	wmisqtl.exe
2432	wmisqtl.exe
2432	wmisqtl.exe
1592	wmisqtl.exe
1592	wmisqtl.exe
1412	wmisqtl.exe
1412	wmisqtl.exe
2036	wmisqtl.exe
2036	wmisqtl.exe
528	wmisqtl.exe
528	wmisqtl.exe
2340	wmisqtl.exe
2340	wmisqtl.exe
2820	wmisqtl.exe
2820	wmisqtl.exe
2616	wmisqtl.exe
2616	wmisqtl.exe
2884	wmisqtl.exe
2884	wmisqtl.exe
2648	wmisqtl.exe
2648	wmisqtl.exe
2016	wmisqtl.exe
2016	wmisqtl.exe
112	wmisqtl.exe
112	wmisqtl.exe
908	wmisqtl.exe
908	wmisqtl.exe
1716	wmisqtl.exe
1716	wmisqtl.exe
1536	wmisqtl.exe
1536	wmisqtl.exe
1096	wmisqtl.exe
1096	wmisqtl.exe
1580	wmisqtl.exe
1580	wmisqtl.exe
2352	wmisqtl.exe
2352	wmisqtl.exe
2684	wmisqtl.exe
2684	wmisqtl.exe
3044	wmisqtl.exe
3044	wmisqtl.exe
2040	wmisqtl.exe
2040	wmisqtl.exe
2916	wmisqtl.exe
2916	wmisqtl.exe
2132	wmisqtl.exe
2132	wmisqtl.exe
1604	wmisqtl.exe
1604	wmisqtl.exe
1192	wmisqtl.exe
1192	wmisqtl.exe
1752	wmisqtl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2108 set thread context of 1976	2108	wmisqtl.exe	33
PID 2724 set thread context of 2552	2724	wmisqtl.exe	35
PID 1644 set thread context of 2932	1644	wmisqtl.exe	37
PID 2804 set thread context of 2052	2804	wmisqtl.exe	39
PID 1504 set thread context of 2948	1504	wmisqtl.exe	41
PID 1980 set thread context of 2432	1980	wmisqtl.exe	43
PID 2892 set thread context of 1592	2892	wmisqtl.exe	45
PID 996 set thread context of 1412	996	wmisqtl.exe	47
PID 1596 set thread context of 2036	1596	wmisqtl.exe	49
PID 1656 set thread context of 528	1656	wmisqtl.exe	51
PID 2316 set thread context of 2340	2316	wmisqtl.exe	53
PID 2652 set thread context of 2820	2652	wmisqtl.exe	55
PID 2732 set thread context of 2616	2732	wmisqtl.exe	57
PID 1984 set thread context of 2884	1984	wmisqtl.exe	59
PID 2876 set thread context of 2648	2876	wmisqtl.exe	61
PID 2912 set thread context of 2016	2912	wmisqtl.exe	63
PID 684 set thread context of 112	684	wmisqtl.exe	65
PID 836 set thread context of 908	836	wmisqtl.exe	67
PID 1952 set thread context of 1716	1952	wmisqtl.exe	69
PID 1668 set thread context of 1536	1668	wmisqtl.exe	71
PID 1328 set thread context of 1096	1328	wmisqtl.exe	73
PID 2276 set thread context of 1580	2276	wmisqtl.exe	75
PID 1560 set thread context of 2352	1560	wmisqtl.exe	77
PID 2756 set thread context of 2684	2756	wmisqtl.exe	79
PID 2600 set thread context of 3044	2600	wmisqtl.exe	81
PID 2420 set thread context of 2040	2420	wmisqtl.exe	83
PID 2848 set thread context of 2916	2848	wmisqtl.exe	85
PID 1828 set thread context of 2132	1828	wmisqtl.exe	87
PID 1064 set thread context of 1604	1064	wmisqtl.exe	89
PID 2200 set thread context of 1192	2200	wmisqtl.exe	91
PID 2136 set thread context of 1752	2136	wmisqtl.exe	93
PID 2376 set thread context of 992	2376	wmisqtl.exe	95
PID 1484 set thread context of 1328	1484	wmisqtl.exe	97
PID 2072 set thread context of 3004	2072	wmisqtl.exe	99
PID 2336 set thread context of 1680	2336	wmisqtl.exe	101
PID 2976 set thread context of 2756	2976	wmisqtl.exe	103
PID 2728 set thread context of 1688	2728	wmisqtl.exe	105
PID 536 set thread context of 640	536	wmisqtl.exe	107
PID 2920 set thread context of 848	2920	wmisqtl.exe	109
PID 3024 set thread context of 2152	3024	wmisqtl.exe	111
PID 1064 set thread context of 2656	1064	wmisqtl.exe	113
PID 1988 set thread context of 1208	1988	wmisqtl.exe	115
PID 1884 set thread context of 1244	1884	wmisqtl.exe	117
PID 2960 set thread context of 2204	2960	wmisqtl.exe	119
PID 1824 set thread context of 2096	1824	wmisqtl.exe	121
PID 2836 set thread context of 2288	2836	wmisqtl.exe	123
PID 2328 set thread context of 2712	2328	wmisqtl.exe	125
PID 2324 set thread context of 2732	2324	wmisqtl.exe	127
PID 3060 set thread context of 2420	3060	wmisqtl.exe	129
PID 1336 set thread context of 2804	1336	wmisqtl.exe	131
PID 1436 set thread context of 1944	1436	wmisqtl.exe	133
PID 1980 set thread context of 2308	1980	wmisqtl.exe	135
PID 1728 set thread context of 1740	1728	wmisqtl.exe	137
PID 560 set thread context of 1884	560	wmisqtl.exe	139
PID 2176 set thread context of 2960	2176	wmisqtl.exe	141
PID 1088 set thread context of 1824	1088	wmisqtl.exe	143
PID 3000 set thread context of 1560	3000	wmisqtl.exe	145
PID 2700 set thread context of 2108	2700	wmisqtl.exe	147
PID 2588 set thread context of 3052	2588	wmisqtl.exe	149
PID 864 set thread context of 1816	864	wmisqtl.exe	151
PID 2920 set thread context of 1628	2920	wmisqtl.exe	154
PID 3024 set thread context of 2520	3024	wmisqtl.exe	156
PID 1456 set thread context of 1876	1456	wmisqtl.exe	158

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-4-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-6-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-9-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-15-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-14-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-13-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-12-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-11-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1832-28-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1976-42-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1976-45-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1976-44-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1976-43-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1976-51-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2552-65-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2552-64-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2552-63-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2552-70-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2932-85-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2932-90-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2052-105-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2052-104-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2052-103-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2052-111-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2948-125-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2948-131-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2432-146-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2432-151-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1592-166-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1592-172-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1412-187-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1412-192-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2036-207-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2036-212-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/528-227-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/528-234-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2340-247-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2340-252-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2820-267-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2820-273-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2616-287-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2616-291-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2884-303-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2884-307-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2648-320-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2648-323-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2016-335-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2016-339-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/112-352-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/112-355-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/908-368-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/908-372-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1716-384-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1716-387-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1536-400-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1536-403-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1096-416-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1096-419-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1580-432-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1580-435-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2352-448-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2352-451-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2684-464-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2684-467-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
1976	wmisqtl.exe
2552	wmisqtl.exe
2932	wmisqtl.exe
2052	wmisqtl.exe
2948	wmisqtl.exe
2432	wmisqtl.exe
1592	wmisqtl.exe
1412	wmisqtl.exe
2036	wmisqtl.exe
528	wmisqtl.exe
2340	wmisqtl.exe
2820	wmisqtl.exe
2616	wmisqtl.exe
2884	wmisqtl.exe
2648	wmisqtl.exe
2016	wmisqtl.exe
112	wmisqtl.exe
908	wmisqtl.exe
1716	wmisqtl.exe
1536	wmisqtl.exe
1096	wmisqtl.exe
1580	wmisqtl.exe
2352	wmisqtl.exe
2684	wmisqtl.exe
3044	wmisqtl.exe
2040	wmisqtl.exe
2916	wmisqtl.exe
2132	wmisqtl.exe
1604	wmisqtl.exe
1192	wmisqtl.exe
1752	wmisqtl.exe
992	wmisqtl.exe
1328	wmisqtl.exe
3004	wmisqtl.exe
1680	wmisqtl.exe
2756	wmisqtl.exe
1688	wmisqtl.exe
640	wmisqtl.exe
848	wmisqtl.exe
2152	wmisqtl.exe
2656	wmisqtl.exe
1208	wmisqtl.exe
1244	wmisqtl.exe
2204	wmisqtl.exe
2096	wmisqtl.exe
2288	wmisqtl.exe
2712	wmisqtl.exe
2732	wmisqtl.exe
2420	wmisqtl.exe
2804	wmisqtl.exe
1944	wmisqtl.exe
2308	wmisqtl.exe
1740	wmisqtl.exe
1884	wmisqtl.exe
2960	wmisqtl.exe
1824	wmisqtl.exe
1560	wmisqtl.exe
2108	wmisqtl.exe
3052	wmisqtl.exe
1816	wmisqtl.exe
1628	wmisqtl.exe
2520	wmisqtl.exe
1876	wmisqtl.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
2108	wmisqtl.exe
2724	wmisqtl.exe
1644	wmisqtl.exe
2804	wmisqtl.exe
1504	wmisqtl.exe
1980	wmisqtl.exe
2892	wmisqtl.exe
996	wmisqtl.exe
1596	wmisqtl.exe
1656	wmisqtl.exe
2316	wmisqtl.exe
2652	wmisqtl.exe
2732	wmisqtl.exe
1984	wmisqtl.exe
2876	wmisqtl.exe
2912	wmisqtl.exe
684	wmisqtl.exe
836	wmisqtl.exe
1952	wmisqtl.exe
1668	wmisqtl.exe
1328	wmisqtl.exe
2276	wmisqtl.exe
1560	wmisqtl.exe
2756	wmisqtl.exe
2600	wmisqtl.exe
2420	wmisqtl.exe
2848	wmisqtl.exe
1828	wmisqtl.exe
1064	wmisqtl.exe
2200	wmisqtl.exe
2136	wmisqtl.exe
2376	wmisqtl.exe
1484	wmisqtl.exe
2072	wmisqtl.exe
2336	wmisqtl.exe
2976	wmisqtl.exe
2728	wmisqtl.exe
536	wmisqtl.exe
2920	wmisqtl.exe
3024	wmisqtl.exe
1064	wmisqtl.exe
1988	wmisqtl.exe
1884	wmisqtl.exe
2960	wmisqtl.exe
1824	wmisqtl.exe
2836	wmisqtl.exe
2328	wmisqtl.exe
2324	wmisqtl.exe
3060	wmisqtl.exe
1336	wmisqtl.exe
1436	wmisqtl.exe
1980	wmisqtl.exe
1728	wmisqtl.exe
560	wmisqtl.exe
2176	wmisqtl.exe
1088	wmisqtl.exe
3000	wmisqtl.exe
2700	wmisqtl.exe
2588	wmisqtl.exe
864	wmisqtl.exe
2920	wmisqtl.exe
3024	wmisqtl.exe
1456	wmisqtl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 2256 wrote to memory of 1832	2256	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	31
PID 1832 wrote to memory of 2108	1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2108	1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2108	1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2108	1832	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	32
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 2108 wrote to memory of 1976	2108	wmisqtl.exe	33
PID 1976 wrote to memory of 2724	1976	wmisqtl.exe	34
PID 1976 wrote to memory of 2724	1976	wmisqtl.exe	34
PID 1976 wrote to memory of 2724	1976	wmisqtl.exe	34
PID 1976 wrote to memory of 2724	1976	wmisqtl.exe	34
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2724 wrote to memory of 2552	2724	wmisqtl.exe	35
PID 2552 wrote to memory of 1644	2552	wmisqtl.exe	36
PID 2552 wrote to memory of 1644	2552	wmisqtl.exe	36
PID 2552 wrote to memory of 1644	2552	wmisqtl.exe	36
PID 2552 wrote to memory of 1644	2552	wmisqtl.exe	36
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 1644 wrote to memory of 2932	1644	wmisqtl.exe	37
PID 2932 wrote to memory of 2804	2932	wmisqtl.exe	38
PID 2932 wrote to memory of 2804	2932	wmisqtl.exe	38
PID 2932 wrote to memory of 2804	2932	wmisqtl.exe	38
PID 2932 wrote to memory of 2804	2932	wmisqtl.exe	38
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2804 wrote to memory of 2052	2804	wmisqtl.exe	39
PID 2052 wrote to memory of 1504	2052	wmisqtl.exe	40
PID 2052 wrote to memory of 1504	2052	wmisqtl.exe	40
PID 2052 wrote to memory of 1504	2052	wmisqtl.exe	40
PID 2052 wrote to memory of 1504	2052	wmisqtl.exe	40
PID 1504 wrote to memory of 2948	1504	wmisqtl.exe	41
PID 1504 wrote to memory of 2948	1504	wmisqtl.exe	41
PID 1504 wrote to memory of 2948	1504	wmisqtl.exe	41
PID 1504 wrote to memory of 2948	1504	wmisqtl.exe	41

C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\wmisqtl.exe
    "C:\Windows\system32\wmisqtl.exe" C:\Users\Admin\AppData\Local\Temp\E040C9~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\wmisqtl.exe
      "C:\Windows\system32\wmisqtl.exe" C:\Users\Admin\AppData\Local\Temp\E040C9~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1412
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        68⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        70⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        72⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        74⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        76⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        78⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        84⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1208
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        88⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        90⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        92⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        94⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        96⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        98⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        99⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        100⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        101⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        102⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        104⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        106⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        108⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        109⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        110⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1884
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        111⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        112⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        114⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        116⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        118⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        120⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        121⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        122⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        124⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        126⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        128⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        130⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        131⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        132⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        133⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        134⤵
        
        PID:996
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        135⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        136⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        137⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        139⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        140⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        141⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        142⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        143⤵
        
        PID:596
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        144⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        145⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        147⤵
        
        PID:536
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        148⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        150⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        151⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        152⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        153⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        154⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        155⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        156⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        158⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        160⤵
        Drops file in System32 directory
        
        PID:288
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        163⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        164⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        166⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        167⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        168⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        169⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        171⤵
        
        PID:236
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        172⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        173⤵
        
        PID:972
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        174⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        175⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        176⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        177⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        179⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        181⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        182⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        183⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        184⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        185⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        186⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        187⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        188⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        189⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        192⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        194⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        195⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        196⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        197⤵
        
        PID:568
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        198⤵
        
        PID:892
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        200⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        201⤵
        
        PID:604
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        202⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        204⤵
        
        PID:824
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        205⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        206⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        207⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        208⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        209⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        210⤵
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        211⤵
        
        PID:880
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        212⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        213⤵
        
        PID:328
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        216⤵
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmisqtl.exe

Filesize
216KB

MD5
e040c94783257f9bf033cbc20b183746

SHA1
73dc2cbf4d014d5ad837b170bfbb48f71ac9a6ab

SHA256
e1f0eafeff7232d5aa2f26b2deff354cd711c209704d8e10944cb331c1938adb

SHA512
0e915caf8b6328c09635db7c2f3a6d9aa622cc67c9b8b7bcb5e5b28cd04f3ff40790ec957e0f28bfc895ddd43325b6fa3771aea6517632dec1f18662eaa4221a

Download Submit
memory/112-355-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/112-352-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/528-227-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/528-234-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/640-690-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/640-687-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/848-706-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/848-703-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/908-372-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/908-368-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/992-594-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/992-591-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1096-419-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1096-416-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1192-562-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1192-559-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1208-751-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1208-754-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1244-767-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1244-770-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1328-607-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1328-610-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1412-187-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1412-192-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1536-400-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1536-403-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-432-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1580-435-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1592-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1592-172-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1604-543-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1604-546-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1680-638-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1680-644-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1688-670-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1688-674-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1716-384-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1716-387-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1752-578-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1752-574-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-12-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-13-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1832-9-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-28-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1976-42-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1976-45-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1976-44-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1976-43-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1976-51-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2016-339-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2016-335-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2036-212-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2036-207-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2040-498-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-103-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-111-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-104-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-105-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2096-802-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2096-799-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2132-527-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2132-531-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2152-719-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2152-722-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2204-786-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2204-783-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2288-818-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2288-815-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2340-252-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2340-247-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2352-451-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2352-448-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2432-146-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2432-151-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-65-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-64-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2552-63-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2616-291-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2616-287-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-320-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-323-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2656-738-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2656-735-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2684-467-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2684-464-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-831-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-834-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2756-658-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2756-655-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-267-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-273-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-307-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2884-303-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2916-514-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2916-511-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-90-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2948-131-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2948-125-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3004-627-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3004-623-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3044-480-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3044-483-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download