metasploit | e1f0eafeff7232d5aa2f26b2deff354cd711c209704d8e10944cb331c1938adb

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
Size

216KB
MD5

e040c94783257f9bf033cbc20b183746
SHA1

73dc2cbf4d014d5ad837b170bfbb48f71ac9a6ab
SHA256

e1f0eafeff7232d5aa2f26b2deff354cd711c209704d8e10944cb331c1938adb
SHA512

0e915caf8b6328c09635db7c2f3a6d9aa622cc67c9b8b7bcb5e5b28cd04f3ff40790ec957e0f28bfc895ddd43325b6fa3771aea6517632dec1f18662eaa4221a
SSDEEP

6144:2dKrJbpIgAbFH5a6e6ABoI0jPgJzkzlNwWVZAMQA+YVG83:ZrJbSgAbFH5a6eqI0jPglUwW8I+YVZ3

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisqtl.exe

Deletes itself 1 IoCs

pid	Process
2660	wmisqtl.exe

Executes dropped EXE 64 IoCs

pid	Process
2308	wmisqtl.exe
2660	wmisqtl.exe
4068	wmisqtl.exe
4672	wmisqtl.exe
812	wmisqtl.exe
4064	wmisqtl.exe
4544	wmisqtl.exe
2448	wmisqtl.exe
2880	wmisqtl.exe
1532	wmisqtl.exe
1976	wmisqtl.exe
3476	wmisqtl.exe
4288	wmisqtl.exe
2596	wmisqtl.exe
4364	wmisqtl.exe
1168	wmisqtl.exe
3864	wmisqtl.exe
3388	wmisqtl.exe
2452	wmisqtl.exe
4396	wmisqtl.exe
2340	wmisqtl.exe
4384	wmisqtl.exe
4708	wmisqtl.exe
2664	wmisqtl.exe
1184	wmisqtl.exe
3176	wmisqtl.exe
1664	wmisqtl.exe
3532	wmisqtl.exe
1536	wmisqtl.exe
940	wmisqtl.exe
3684	wmisqtl.exe
4312	wmisqtl.exe
2936	wmisqtl.exe
4812	wmisqtl.exe
3252	wmisqtl.exe
2488	wmisqtl.exe
4552	wmisqtl.exe
3364	wmisqtl.exe
2808	wmisqtl.exe
3616	wmisqtl.exe
2812	wmisqtl.exe
2112	wmisqtl.exe
2564	wmisqtl.exe
3412	wmisqtl.exe
220	wmisqtl.exe
2648	wmisqtl.exe
2600	wmisqtl.exe
904	wmisqtl.exe
4432	wmisqtl.exe
4280	wmisqtl.exe
1636	wmisqtl.exe
3600	wmisqtl.exe
4852	wmisqtl.exe
4928	wmisqtl.exe
3780	wmisqtl.exe
4548	wmisqtl.exe
1500	wmisqtl.exe
1068	wmisqtl.exe
3460	wmisqtl.exe
4700	wmisqtl.exe
768	wmisqtl.exe
3080	wmisqtl.exe
4808	wmisqtl.exe
3252	wmisqtl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File created	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe
File opened for modification	C:\Windows\SysWOW64\wmisqtl.exe	wmisqtl.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4208 set thread context of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 2308 set thread context of 2660	2308	wmisqtl.exe	84
PID 4068 set thread context of 4672	4068	wmisqtl.exe	86
PID 812 set thread context of 4064	812	wmisqtl.exe	88
PID 4544 set thread context of 2448	4544	wmisqtl.exe	90
PID 2880 set thread context of 1532	2880	wmisqtl.exe	96
PID 1976 set thread context of 3476	1976	wmisqtl.exe	98
PID 4288 set thread context of 2596	4288	wmisqtl.exe	101
PID 4364 set thread context of 1168	4364	wmisqtl.exe	105
PID 3864 set thread context of 3388	3864	wmisqtl.exe	107
PID 2452 set thread context of 4396	2452	wmisqtl.exe	109
PID 2340 set thread context of 4384	2340	wmisqtl.exe	111
PID 4708 set thread context of 2664	4708	wmisqtl.exe	113
PID 1184 set thread context of 3176	1184	wmisqtl.exe	115
PID 1664 set thread context of 3532	1664	wmisqtl.exe	117
PID 1536 set thread context of 940	1536	wmisqtl.exe	120
PID 3684 set thread context of 4312	3684	wmisqtl.exe	123
PID 2936 set thread context of 4812	2936	wmisqtl.exe	125
PID 3252 set thread context of 2488	3252	wmisqtl.exe	127
PID 4552 set thread context of 3364	4552	wmisqtl.exe	129
PID 2808 set thread context of 3616	2808	wmisqtl.exe	131
PID 2812 set thread context of 2112	2812	wmisqtl.exe	133
PID 2564 set thread context of 3412	2564	wmisqtl.exe	135
PID 220 set thread context of 2648	220	wmisqtl.exe	137
PID 2600 set thread context of 904	2600	wmisqtl.exe	139
PID 4432 set thread context of 4280	4432	wmisqtl.exe	141
PID 1636 set thread context of 3600	1636	wmisqtl.exe	143
PID 4852 set thread context of 4928	4852	wmisqtl.exe	145
PID 3780 set thread context of 4548	3780	wmisqtl.exe	147
PID 1500 set thread context of 1068	1500	wmisqtl.exe	149
PID 3460 set thread context of 4700	3460	wmisqtl.exe	151
PID 768 set thread context of 3080	768	wmisqtl.exe	153
PID 4808 set thread context of 3252	4808	wmisqtl.exe	155
PID 4288 set thread context of 336	4288	wmisqtl.exe	157
PID 2116 set thread context of 4756	2116	wmisqtl.exe	159
PID 4120 set thread context of 2692	4120	wmisqtl.exe	161
PID 2812 set thread context of 3436	2812	wmisqtl.exe	163
PID 3896 set thread context of 4324	3896	wmisqtl.exe	165
PID 3564 set thread context of 4300	3564	wmisqtl.exe	167
PID 2340 set thread context of 4820	2340	wmisqtl.exe	169
PID 4708 set thread context of 3028	4708	wmisqtl.exe	171
PID 4276 set thread context of 4704	4276	wmisqtl.exe	173
PID 3636 set thread context of 4088	3636	wmisqtl.exe	175
PID 3672 set thread context of 3384	3672	wmisqtl.exe	177
PID 3664 set thread context of 4268	3664	wmisqtl.exe	179
PID 4272 set thread context of 3812	4272	wmisqtl.exe	181
PID 4468 set thread context of 2536	4468	wmisqtl.exe	183
PID 2944 set thread context of 2124	2944	wmisqtl.exe	185
PID 2140 set thread context of 1652	2140	wmisqtl.exe	187
PID 3172 set thread context of 4520	3172	wmisqtl.exe	189
PID 3076 set thread context of 1544	3076	wmisqtl.exe	191
PID 1540 set thread context of 1052	1540	wmisqtl.exe	193
PID 3316 set thread context of 4472	3316	wmisqtl.exe	195
PID 4316 set thread context of 2240	4316	wmisqtl.exe	197
PID 708 set thread context of 212	708	wmisqtl.exe	199
PID 4608 set thread context of 388	4608	wmisqtl.exe	201
PID 1636 set thread context of 4824	1636	wmisqtl.exe	203
PID 4440 set thread context of 4504	4440	wmisqtl.exe	205
PID 372 set thread context of 812	372	wmisqtl.exe	207
PID 4788 set thread context of 3584	4788	wmisqtl.exe	209
PID 3920 set thread context of 3744	3920	wmisqtl.exe	211
PID 4776 set thread context of 1016	4776	wmisqtl.exe	213
PID 3144 set thread context of 2152	3144	wmisqtl.exe	215
PID 4240 set thread context of 436	4240	wmisqtl.exe	217

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3168-2-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3168-4-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3168-6-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3168-5-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3168-67-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2660-75-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2660-77-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2660-76-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2660-74-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2660-78-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4672-85-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4672-87-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4672-86-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4672-88-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4064-95-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4064-97-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4064-96-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4064-99-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2448-107-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2448-108-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2448-106-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2448-109-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/1532-117-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/1532-118-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/1532-120-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3476-131-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2596-138-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2596-139-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/1168-148-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/1168-150-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3388-158-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3388-162-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4396-169-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4396-171-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4384-179-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4384-181-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2664-188-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2664-193-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3176-203-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3532-209-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3532-215-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/940-222-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/940-227-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4312-237-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4812-248-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2488-254-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2488-259-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3364-266-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3364-270-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3616-277-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3616-281-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2112-287-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2112-292-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3412-299-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3412-303-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2648-310-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/2648-313-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/904-319-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/904-322-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4280-330-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3600-336-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3600-339-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4928-347-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4548-353-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisqtl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisqtl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3168	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
3168	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
2660	wmisqtl.exe
2660	wmisqtl.exe
4672	wmisqtl.exe
4672	wmisqtl.exe
4064	wmisqtl.exe
4064	wmisqtl.exe
2448	wmisqtl.exe
2448	wmisqtl.exe
1532	wmisqtl.exe
1532	wmisqtl.exe
3476	wmisqtl.exe
3476	wmisqtl.exe
2596	wmisqtl.exe
2596	wmisqtl.exe
1168	wmisqtl.exe
1168	wmisqtl.exe
3388	wmisqtl.exe
3388	wmisqtl.exe
4396	wmisqtl.exe
4396	wmisqtl.exe
4384	wmisqtl.exe
4384	wmisqtl.exe
2664	wmisqtl.exe
2664	wmisqtl.exe
3176	wmisqtl.exe
3176	wmisqtl.exe
3532	wmisqtl.exe
3532	wmisqtl.exe
940	wmisqtl.exe
940	wmisqtl.exe
4312	wmisqtl.exe
4312	wmisqtl.exe
4812	wmisqtl.exe
4812	wmisqtl.exe
2488	wmisqtl.exe
2488	wmisqtl.exe
3364	wmisqtl.exe
3364	wmisqtl.exe
3616	wmisqtl.exe
3616	wmisqtl.exe
2112	wmisqtl.exe
2112	wmisqtl.exe
3412	wmisqtl.exe
3412	wmisqtl.exe
2648	wmisqtl.exe
2648	wmisqtl.exe
904	wmisqtl.exe
904	wmisqtl.exe
4280	wmisqtl.exe
4280	wmisqtl.exe
3600	wmisqtl.exe
3600	wmisqtl.exe
4928	wmisqtl.exe
4928	wmisqtl.exe
4548	wmisqtl.exe
4548	wmisqtl.exe
1068	wmisqtl.exe
1068	wmisqtl.exe
4700	wmisqtl.exe
4700	wmisqtl.exe
3080	wmisqtl.exe
3080	wmisqtl.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
2308	wmisqtl.exe
4068	wmisqtl.exe
812	wmisqtl.exe
4544	wmisqtl.exe
2880	wmisqtl.exe
1976	wmisqtl.exe
4288	wmisqtl.exe
4364	wmisqtl.exe
3864	wmisqtl.exe
2452	wmisqtl.exe
2340	wmisqtl.exe
4708	wmisqtl.exe
1184	wmisqtl.exe
1664	wmisqtl.exe
1536	wmisqtl.exe
3684	wmisqtl.exe
2936	wmisqtl.exe
3252	wmisqtl.exe
4552	wmisqtl.exe
2808	wmisqtl.exe
2812	wmisqtl.exe
2564	wmisqtl.exe
220	wmisqtl.exe
2600	wmisqtl.exe
4432	wmisqtl.exe
1636	wmisqtl.exe
4852	wmisqtl.exe
3780	wmisqtl.exe
1500	wmisqtl.exe
3460	wmisqtl.exe
768	wmisqtl.exe
4808	wmisqtl.exe
4288	wmisqtl.exe
2116	wmisqtl.exe
4120	wmisqtl.exe
2812	wmisqtl.exe
3896	wmisqtl.exe
3564	wmisqtl.exe
2340	wmisqtl.exe
4708	wmisqtl.exe
4276	wmisqtl.exe
3636	wmisqtl.exe
3672	wmisqtl.exe
3664	wmisqtl.exe
4272	wmisqtl.exe
4468	wmisqtl.exe
2944	wmisqtl.exe
2140	wmisqtl.exe
3172	wmisqtl.exe
3076	wmisqtl.exe
1540	wmisqtl.exe
3316	wmisqtl.exe
4316	wmisqtl.exe
708	wmisqtl.exe
4608	wmisqtl.exe
1636	wmisqtl.exe
4440	wmisqtl.exe
372	wmisqtl.exe
4788	wmisqtl.exe
3920	wmisqtl.exe
4776	wmisqtl.exe
3144	wmisqtl.exe
4240	wmisqtl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 4208 wrote to memory of 3168	4208	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	82
PID 3168 wrote to memory of 2308	3168	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	83
PID 3168 wrote to memory of 2308	3168	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	83
PID 3168 wrote to memory of 2308	3168	e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe	83
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2308 wrote to memory of 2660	2308	wmisqtl.exe	84
PID 2660 wrote to memory of 4068	2660	wmisqtl.exe	85
PID 2660 wrote to memory of 4068	2660	wmisqtl.exe	85
PID 2660 wrote to memory of 4068	2660	wmisqtl.exe	85
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4068 wrote to memory of 4672	4068	wmisqtl.exe	86
PID 4672 wrote to memory of 812	4672	wmisqtl.exe	87
PID 4672 wrote to memory of 812	4672	wmisqtl.exe	87
PID 4672 wrote to memory of 812	4672	wmisqtl.exe	87
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 812 wrote to memory of 4064	812	wmisqtl.exe	88
PID 4064 wrote to memory of 4544	4064	wmisqtl.exe	89
PID 4064 wrote to memory of 4544	4064	wmisqtl.exe	89
PID 4064 wrote to memory of 4544	4064	wmisqtl.exe	89
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 4544 wrote to memory of 2448	4544	wmisqtl.exe	90
PID 2448 wrote to memory of 2880	2448	wmisqtl.exe	95
PID 2448 wrote to memory of 2880	2448	wmisqtl.exe	95
PID 2448 wrote to memory of 2880	2448	wmisqtl.exe	95
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 2880 wrote to memory of 1532	2880	wmisqtl.exe	96
PID 1532 wrote to memory of 1976	1532	wmisqtl.exe	97

C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e040c94783257f9bf033cbc20b183746_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\wmisqtl.exe
    "C:\Windows\system32\wmisqtl.exe" C:\Users\Admin\AppData\Local\Temp\E040C9~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\wmisqtl.exe
      "C:\Windows\system32\wmisqtl.exe" C:\Users\Admin\AppData\Local\Temp\E040C9~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4288
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3864
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3388
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3176
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3532
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4552
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3616
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3412
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:220
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4432
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4280
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3600
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4808
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4288
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        74⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4272
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        101⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3316
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        114⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        116⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        118⤵
        Checks computer location settings
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        121⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3920
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        124⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        126⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        128⤵
        Checks computer location settings
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        129⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        130⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        133⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        134⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        135⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        138⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\wmisqtl.exe
        
        "C:\Windows\system32\wmisqtl.exe" C:\Windows\SysWOW64\wmisqtl.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmisqtl.exe

Filesize
216KB

MD5
e040c94783257f9bf033cbc20b183746

SHA1
73dc2cbf4d014d5ad837b170bfbb48f71ac9a6ab

SHA256
e1f0eafeff7232d5aa2f26b2deff354cd711c209704d8e10944cb331c1938adb

SHA512
0e915caf8b6328c09635db7c2f3a6d9aa622cc67c9b8b7bcb5e5b28cd04f3ff40790ec957e0f28bfc895ddd43325b6fa3771aea6517632dec1f18662eaa4221a

Download Submit
memory/212-577-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/336-399-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/388-585-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/436-650-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/436-653-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/812-610-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/812-606-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/904-319-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/904-322-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/940-222-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/940-227-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1016-631-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1016-635-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1052-553-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1052-549-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1068-364-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1168-150-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1168-148-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1400-661-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1532-117-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1532-118-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1532-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-541-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-544-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1652-526-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1652-522-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2112-292-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2112-287-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2124-517-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2152-644-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2152-640-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2240-569-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2448-107-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2448-108-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2448-106-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2448-109-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2488-259-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2488-254-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2536-509-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2536-506-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2596-138-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2596-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-313-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-310-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2660-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2660-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2660-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2660-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2660-75-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2664-188-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2664-193-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2692-415-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3028-458-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3080-378-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3080-382-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3168-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3168-67-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3168-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3168-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3168-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3176-203-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3252-391-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3252-387-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3364-270-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3364-266-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3384-483-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3388-158-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3388-162-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3412-303-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3412-299-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3436-420-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3436-424-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3476-131-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3532-215-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3532-209-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3584-618-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3600-339-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3600-336-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3616-277-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3616-281-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-626-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3812-500-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3812-496-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4064-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4064-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4064-95-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4064-99-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4088-475-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4268-491-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4280-330-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4300-442-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4300-438-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4312-237-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4324-429-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4324-433-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4384-179-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4384-181-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4396-171-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4396-169-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4472-561-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4504-601-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4520-531-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4520-535-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4548-356-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4548-353-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4672-86-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4672-88-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4672-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4672-87-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4700-369-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4700-373-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4704-467-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4704-463-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4756-407-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4812-248-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4820-450-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4824-593-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4928-347-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download