metasploit | 20aae5039a0d9aacc4290b645af3b608c225e40d6640e8fec0170543d2d16678

Analysis

max time kernel
132s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
Size

141KB
MD5

dfbc47457506f1f84d558fbbf2ed5ae8
SHA1

306923228a4f1f3af2e3a03446c9c29a97b8154f
SHA256

20aae5039a0d9aacc4290b645af3b608c225e40d6640e8fec0170543d2d16678
SHA512

5a144f8b71eaf9fdd72fbf1e0533dfe459e5e7d0ee78ad409ac72babf0b05dab52ae5d9d1ef80389b025da5c84dfa6c2d524667a826939d6ac7fc6fde8ba48d9
SSDEEP

3072:YQ4XIcqkHOZpbrZ3icN5JVn23PW2IQrmequ2I5:NUIcpOZpbrZS6Z23vri

Score

10^/10

metasploit backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2148	wiacmfgr.exe

Executes dropped EXE 64 IoCs

pid	Process
2752	wiacmfgr.exe
2148	wiacmfgr.exe
3032	wiacmfgr.exe
3052	wiacmfgr.exe
2932	wiacmfgr.exe
3044	wiacmfgr.exe
108	wiacmfgr.exe
2068	wiacmfgr.exe
596	wiacmfgr.exe
1624	wiacmfgr.exe
1772	wiacmfgr.exe
1152	wiacmfgr.exe
1920	wiacmfgr.exe
2188	wiacmfgr.exe
2944	wiacmfgr.exe
2004	wiacmfgr.exe
1916	wiacmfgr.exe
1020	wiacmfgr.exe
1548	wiacmfgr.exe
2420	wiacmfgr.exe
2512	wiacmfgr.exe
2028	wiacmfgr.exe
1868	wiacmfgr.exe
600	wiacmfgr.exe
1564	wiacmfgr.exe
2704	wiacmfgr.exe
2812	wiacmfgr.exe
2820	wiacmfgr.exe
2900	wiacmfgr.exe
2588	wiacmfgr.exe
2592	wiacmfgr.exe
1756	wiacmfgr.exe
2884	wiacmfgr.exe
3028	wiacmfgr.exe
2656	wiacmfgr.exe
1716	wiacmfgr.exe
1244	wiacmfgr.exe
580	wiacmfgr.exe
1680	wiacmfgr.exe
2736	wiacmfgr.exe
2388	wiacmfgr.exe
2116	wiacmfgr.exe
2160	wiacmfgr.exe
1792	wiacmfgr.exe
1988	wiacmfgr.exe
2984	wiacmfgr.exe
1056	wiacmfgr.exe
1708	wiacmfgr.exe
2412	wiacmfgr.exe
1480	wiacmfgr.exe
2080	wiacmfgr.exe
3000	wiacmfgr.exe
3068	wiacmfgr.exe
2332	wiacmfgr.exe
3012	wiacmfgr.exe
2344	wiacmfgr.exe
2668	wiacmfgr.exe
2688	wiacmfgr.exe
2272	wiacmfgr.exe
2756	wiacmfgr.exe
2616	wiacmfgr.exe
2532	wiacmfgr.exe
1724	wiacmfgr.exe
2880	wiacmfgr.exe

Loads dropped DLL 64 IoCs

pid	Process
2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
2752	wiacmfgr.exe
2148	wiacmfgr.exe
2148	wiacmfgr.exe
3052	wiacmfgr.exe
3052	wiacmfgr.exe
3044	wiacmfgr.exe
3044	wiacmfgr.exe
2068	wiacmfgr.exe
2068	wiacmfgr.exe
1624	wiacmfgr.exe
1624	wiacmfgr.exe
1152	wiacmfgr.exe
1152	wiacmfgr.exe
2188	wiacmfgr.exe
2188	wiacmfgr.exe
2004	wiacmfgr.exe
2004	wiacmfgr.exe
1020	wiacmfgr.exe
1020	wiacmfgr.exe
2420	wiacmfgr.exe
2420	wiacmfgr.exe
2028	wiacmfgr.exe
2028	wiacmfgr.exe
600	wiacmfgr.exe
600	wiacmfgr.exe
2704	wiacmfgr.exe
2704	wiacmfgr.exe
2820	wiacmfgr.exe
2820	wiacmfgr.exe
2588	wiacmfgr.exe
2588	wiacmfgr.exe
1756	wiacmfgr.exe
1756	wiacmfgr.exe
3028	wiacmfgr.exe
3028	wiacmfgr.exe
1716	wiacmfgr.exe
1716	wiacmfgr.exe
580	wiacmfgr.exe
580	wiacmfgr.exe
2736	wiacmfgr.exe
2736	wiacmfgr.exe
2116	wiacmfgr.exe
2116	wiacmfgr.exe
1792	wiacmfgr.exe
1792	wiacmfgr.exe
2984	wiacmfgr.exe
2984	wiacmfgr.exe
1708	wiacmfgr.exe
1708	wiacmfgr.exe
1480	wiacmfgr.exe
1480	wiacmfgr.exe
3000	wiacmfgr.exe
3000	wiacmfgr.exe
2332	wiacmfgr.exe
2332	wiacmfgr.exe
2344	wiacmfgr.exe
2344	wiacmfgr.exe
2688	wiacmfgr.exe
2688	wiacmfgr.exe
2756	wiacmfgr.exe
2756	wiacmfgr.exe
2532	wiacmfgr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2212-5-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2212-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2212-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2212-20-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2148-28-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2148-29-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2148-30-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2148-36-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3052-49-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3044-55-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3044-56-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3044-62-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2068-67-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2068-69-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2068-74-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1624-78-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1624-82-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1624-83-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1624-89-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1152-102-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2188-116-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2004-129-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1020-143-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2420-156-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2028-169-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/600-183-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2704-195-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2820-204-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2588-213-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1756-222-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3028-231-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1716-240-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/580-249-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2736-258-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2116-267-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1792-276-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2984-285-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1708-294-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1480-303-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3000-312-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2332-321-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2344-333-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2688-342-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2756-351-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2532-360-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2880-369-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3048-378-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1664-387-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1568-396-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1836-405-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1972-414-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2516-423-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/940-432-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1632-441-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2424-450-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/904-459-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2700-468-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2808-477-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2676-486-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3036-495-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2836-504-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2236-513-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2396-522-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2752 set thread context of 2148	2752	wiacmfgr.exe	33
PID 3032 set thread context of 3052	3032	wiacmfgr.exe	35
PID 2932 set thread context of 3044	2932	wiacmfgr.exe	37
PID 108 set thread context of 2068	108	wiacmfgr.exe	39
PID 596 set thread context of 1624	596	wiacmfgr.exe	41
PID 1772 set thread context of 1152	1772	wiacmfgr.exe	43
PID 1920 set thread context of 2188	1920	wiacmfgr.exe	45
PID 2944 set thread context of 2004	2944	wiacmfgr.exe	47
PID 1916 set thread context of 1020	1916	wiacmfgr.exe	49
PID 1548 set thread context of 2420	1548	wiacmfgr.exe	51
PID 2512 set thread context of 2028	2512	wiacmfgr.exe	53
PID 1868 set thread context of 600	1868	wiacmfgr.exe	55
PID 1564 set thread context of 2704	1564	wiacmfgr.exe	57
PID 2812 set thread context of 2820	2812	wiacmfgr.exe	59
PID 2900 set thread context of 2588	2900	wiacmfgr.exe	61
PID 2592 set thread context of 1756	2592	wiacmfgr.exe	63
PID 2884 set thread context of 3028	2884	wiacmfgr.exe	65
PID 2656 set thread context of 1716	2656	wiacmfgr.exe	67
PID 1244 set thread context of 580	1244	wiacmfgr.exe	69
PID 1680 set thread context of 2736	1680	wiacmfgr.exe	71
PID 2388 set thread context of 2116	2388	wiacmfgr.exe	73
PID 2160 set thread context of 1792	2160	wiacmfgr.exe	75
PID 1988 set thread context of 2984	1988	wiacmfgr.exe	77
PID 1056 set thread context of 1708	1056	wiacmfgr.exe	79
PID 2412 set thread context of 1480	2412	wiacmfgr.exe	81
PID 2080 set thread context of 3000	2080	wiacmfgr.exe	83
PID 3068 set thread context of 2332	3068	wiacmfgr.exe	85
PID 3012 set thread context of 2344	3012	wiacmfgr.exe	87
PID 2668 set thread context of 2688	2668	wiacmfgr.exe	89
PID 2272 set thread context of 2756	2272	wiacmfgr.exe	91
PID 2616 set thread context of 2532	2616	wiacmfgr.exe	93
PID 1724 set thread context of 2880	1724	wiacmfgr.exe	95
PID 1508 set thread context of 3048	1508	wiacmfgr.exe	97
PID 1392 set thread context of 1664	1392	wiacmfgr.exe	99
PID 480 set thread context of 1568	480	wiacmfgr.exe	101
PID 2440 set thread context of 1836	2440	wiacmfgr.exe	103
PID 2136 set thread context of 1972	2136	wiacmfgr.exe	105
PID 1260 set thread context of 2516	1260	wiacmfgr.exe	107
PID 1056 set thread context of 940	1056	wiacmfgr.exe	109
PID 1000 set thread context of 1632	1000	wiacmfgr.exe	111
PID 1264 set thread context of 2424	1264	wiacmfgr.exe	113
PID 2444 set thread context of 904	2444	wiacmfgr.exe	115
PID 2072 set thread context of 2700	2072	wiacmfgr.exe	117
PID 2664 set thread context of 2808	2664	wiacmfgr.exe	119
PID 568 set thread context of 2676	568	wiacmfgr.exe	121
PID 1740 set thread context of 3036	1740	wiacmfgr.exe	123
PID 2884 set thread context of 2836	2884	wiacmfgr.exe	125
PID 2656 set thread context of 2236	2656	wiacmfgr.exe	127
PID 684 set thread context of 2396	684	wiacmfgr.exe	129
PID 2868 set thread context of 1840	2868	wiacmfgr.exe	131
PID 1316 set thread context of 2388	1316	wiacmfgr.exe	133
PID 2252 set thread context of 2160	2252	wiacmfgr.exe	135
PID 2060 set thread context of 2192	2060	wiacmfgr.exe	137
PID 2788 set thread context of 3004	2788	wiacmfgr.exe	139
PID 2728 set thread context of 1872	2728	wiacmfgr.exe	141
PID 956 set thread context of 2316	956	wiacmfgr.exe	143
PID 3016 set thread context of 2512	3016	wiacmfgr.exe	145
PID 868 set thread context of 2340	868	wiacmfgr.exe	147
PID 1700 set thread context of 2768	1700	wiacmfgr.exe	149
PID 2812 set thread context of 2172	2812	wiacmfgr.exe	151
PID 2024 set thread context of 2364	2024	wiacmfgr.exe	153
PID 2912 set thread context of 2936	2912	wiacmfgr.exe	155
PID 1428 set thread context of 1128	1428	wiacmfgr.exe	157

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
2148	wiacmfgr.exe
3052	wiacmfgr.exe
3044	wiacmfgr.exe
2068	wiacmfgr.exe
1624	wiacmfgr.exe
1152	wiacmfgr.exe
2188	wiacmfgr.exe
2004	wiacmfgr.exe
1020	wiacmfgr.exe
2420	wiacmfgr.exe
2028	wiacmfgr.exe
600	wiacmfgr.exe
2704	wiacmfgr.exe
2820	wiacmfgr.exe
2588	wiacmfgr.exe
1756	wiacmfgr.exe
3028	wiacmfgr.exe
1716	wiacmfgr.exe
580	wiacmfgr.exe
2736	wiacmfgr.exe
2116	wiacmfgr.exe
1792	wiacmfgr.exe
2984	wiacmfgr.exe
1708	wiacmfgr.exe
1480	wiacmfgr.exe
3000	wiacmfgr.exe
2332	wiacmfgr.exe
2688	wiacmfgr.exe
2756	wiacmfgr.exe
2532	wiacmfgr.exe
2880	wiacmfgr.exe
3048	wiacmfgr.exe
1664	wiacmfgr.exe
1568	wiacmfgr.exe
1836	wiacmfgr.exe
1972	wiacmfgr.exe
2516	wiacmfgr.exe
940	wiacmfgr.exe
1632	wiacmfgr.exe
2424	wiacmfgr.exe
904	wiacmfgr.exe
2700	wiacmfgr.exe
2808	wiacmfgr.exe
2676	wiacmfgr.exe
3036	wiacmfgr.exe
2836	wiacmfgr.exe
2236	wiacmfgr.exe
2396	wiacmfgr.exe
1840	wiacmfgr.exe
2388	wiacmfgr.exe
2160	wiacmfgr.exe
2192	wiacmfgr.exe
3004	wiacmfgr.exe
1872	wiacmfgr.exe
2316	wiacmfgr.exe
2512	wiacmfgr.exe
2340	wiacmfgr.exe
2768	wiacmfgr.exe
2172	wiacmfgr.exe
2364	wiacmfgr.exe
2936	wiacmfgr.exe
1128	wiacmfgr.exe
1276	wiacmfgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2212	2308	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	31
PID 2212 wrote to memory of 2752	2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2752	2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2752	2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2752	2212	dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2752 wrote to memory of 2148	2752	wiacmfgr.exe	33
PID 2148 wrote to memory of 3032	2148	wiacmfgr.exe	34
PID 2148 wrote to memory of 3032	2148	wiacmfgr.exe	34
PID 2148 wrote to memory of 3032	2148	wiacmfgr.exe	34
PID 2148 wrote to memory of 3032	2148	wiacmfgr.exe	34
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3032 wrote to memory of 3052	3032	wiacmfgr.exe	35
PID 3052 wrote to memory of 2932	3052	wiacmfgr.exe	36
PID 3052 wrote to memory of 2932	3052	wiacmfgr.exe	36
PID 3052 wrote to memory of 2932	3052	wiacmfgr.exe	36
PID 3052 wrote to memory of 2932	3052	wiacmfgr.exe	36
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 2932 wrote to memory of 3044	2932	wiacmfgr.exe	37
PID 3044 wrote to memory of 108	3044	wiacmfgr.exe	38
PID 3044 wrote to memory of 108	3044	wiacmfgr.exe	38
PID 3044 wrote to memory of 108	3044	wiacmfgr.exe	38
PID 3044 wrote to memory of 108	3044	wiacmfgr.exe	38
PID 108 wrote to memory of 2068	108	wiacmfgr.exe	39
PID 108 wrote to memory of 2068	108	wiacmfgr.exe	39
PID 108 wrote to memory of 2068	108	wiacmfgr.exe	39
PID 108 wrote to memory of 2068	108	wiacmfgr.exe	39

C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\wiacmfgr.exe
    "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\DFBC47~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\wiacmfgr.exe
      "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\DFBC47~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        11⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        15⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        17⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1916
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        21⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1548
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1868
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        27⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        31⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2900
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        33⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        35⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2884
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        39⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1244
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:580
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1680
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        45⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2160
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        47⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1988
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1056
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        51⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2412
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        53⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2080
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3068
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3012
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2344
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        59⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2668
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2272
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        63⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2616
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2532
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        65⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1724
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        67⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        68⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        69⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        71⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        73⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2440
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        75⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2136
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        76⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1972
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        77⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        78⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        79⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        81⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        82⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        83⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        84⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        85⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        86⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        87⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        89⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2664
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        90⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        91⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:568
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        93⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1740
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        94⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        95⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2884
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        96⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        97⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        98⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        99⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        101⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        102⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        103⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        104⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        105⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2252
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        106⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        107⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        108⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        109⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2788
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        110⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        111⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2728
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        112⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        113⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:956
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        114⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        115⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        116⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        117⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:868
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        118⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        119⤵
        Suspicious use of SetThreadContext
        
        PID:1700
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        120⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        121⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2812
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        122⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        123⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2024
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        124⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        125⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        126⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        127⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1428
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        128⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        129⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        130⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1276
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        131⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        132⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        133⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        135⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        137⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        139⤵
        Checks whether UAC is enabled
        
        PID:1328
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        140⤵
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        142⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        143⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        145⤵
        Checks whether UAC is enabled
        
        PID:112
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        146⤵
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wiacmfgr.exe

Filesize
141KB

MD5
dfbc47457506f1f84d558fbbf2ed5ae8

SHA1
306923228a4f1f3af2e3a03446c9c29a97b8154f

SHA256
20aae5039a0d9aacc4290b645af3b608c225e40d6640e8fec0170543d2d16678

SHA512
5a144f8b71eaf9fdd72fbf1e0533dfe459e5e7d0ee78ad409ac72babf0b05dab52ae5d9d1ef80389b025da5c84dfa6c2d524667a826939d6ac7fc6fde8ba48d9

Download Submit
memory/304-694-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/580-249-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/600-183-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-459-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/940-432-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1020-143-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1044-721-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1120-712-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1128-644-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1128-649-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1152-102-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1276-658-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1380-703-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-303-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1568-396-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1624-83-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1624-78-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1624-82-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1624-89-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1632-441-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1664-387-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1708-294-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1716-240-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1756-222-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1792-276-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1836-405-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1840-531-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1872-576-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1920-685-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1972-414-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2004-129-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2028-169-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2068-74-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2068-69-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2068-67-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2116-267-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2148-30-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2148-29-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2148-28-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2148-36-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2160-549-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-621-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2188-116-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2192-558-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2212-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2212-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2212-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2212-20-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2212-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2212-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2236-513-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2316-585-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2332-321-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2340-603-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2344-333-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2364-630-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2388-540-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2396-522-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2420-156-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2424-450-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2512-594-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2516-423-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2532-360-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2588-213-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2676-486-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2688-342-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2700-468-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2704-195-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2736-258-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2756-351-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2768-612-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2808-477-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2820-204-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2836-504-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2860-667-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2880-369-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2936-639-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2964-676-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2984-285-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3000-312-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3004-567-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3028-231-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3036-495-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3044-62-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3044-56-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3044-55-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3048-378-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3052-49-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download