Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 07:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
General
-
Target
dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe
-
Size
141KB
-
MD5
dfbc47457506f1f84d558fbbf2ed5ae8
-
SHA1
306923228a4f1f3af2e3a03446c9c29a97b8154f
-
SHA256
20aae5039a0d9aacc4290b645af3b608c225e40d6640e8fec0170543d2d16678
-
SHA512
5a144f8b71eaf9fdd72fbf1e0533dfe459e5e7d0ee78ad409ac72babf0b05dab52ae5d9d1ef80389b025da5c84dfa6c2d524667a826939d6ac7fc6fde8ba48d9
-
SSDEEP
3072:YQ4XIcqkHOZpbrZ3icN5JVn23PW2IQrmequ2I5:NUIcpOZpbrZS6Z23vri
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation wiacmfgr.exe -
Deletes itself 1 IoCs
pid Process 1216 wiacmfgr.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 wiacmfgr.exe 1216 wiacmfgr.exe 1896 wiacmfgr.exe 1772 wiacmfgr.exe 1596 wiacmfgr.exe 3324 wiacmfgr.exe 4232 wiacmfgr.exe 5044 wiacmfgr.exe 1244 wiacmfgr.exe 3700 wiacmfgr.exe 4936 wiacmfgr.exe 3144 wiacmfgr.exe 4320 wiacmfgr.exe 4308 wiacmfgr.exe 3856 wiacmfgr.exe 2832 wiacmfgr.exe 4292 wiacmfgr.exe 1548 wiacmfgr.exe 2168 wiacmfgr.exe 908 wiacmfgr.exe 1832 wiacmfgr.exe 4384 wiacmfgr.exe 5036 wiacmfgr.exe 2948 wiacmfgr.exe 4360 wiacmfgr.exe 4048 wiacmfgr.exe 2100 wiacmfgr.exe 3712 wiacmfgr.exe 1080 wiacmfgr.exe 620 wiacmfgr.exe 2404 wiacmfgr.exe 1608 wiacmfgr.exe 2028 wiacmfgr.exe 4548 wiacmfgr.exe 2232 wiacmfgr.exe 2112 wiacmfgr.exe 4844 wiacmfgr.exe 3588 wiacmfgr.exe 3000 wiacmfgr.exe 2724 wiacmfgr.exe 2772 wiacmfgr.exe 4584 wiacmfgr.exe 4992 wiacmfgr.exe 616 wiacmfgr.exe 1396 wiacmfgr.exe 2588 wiacmfgr.exe 3816 wiacmfgr.exe 2708 wiacmfgr.exe 4800 wiacmfgr.exe 4804 wiacmfgr.exe 2040 wiacmfgr.exe 4432 wiacmfgr.exe 3084 wiacmfgr.exe 1740 wiacmfgr.exe 1484 wiacmfgr.exe 1596 wiacmfgr.exe 4340 wiacmfgr.exe 4596 wiacmfgr.exe 1244 wiacmfgr.exe 5108 wiacmfgr.exe 3280 wiacmfgr.exe 4912 wiacmfgr.exe 2384 wiacmfgr.exe 4328 wiacmfgr.exe -
resource yara_rule behavioral2/memory/2448-0-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2448-2-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2448-3-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2448-4-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2448-65-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1216-70-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1216-71-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1216-72-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1216-73-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1772-81-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3324-88-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/5044-95-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3700-104-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3144-109-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3144-111-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4308-118-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2832-125-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1548-134-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/908-140-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4384-148-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2948-157-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4048-165-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3712-173-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/620-181-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1608-190-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4548-198-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2112-206-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3588-214-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2724-218-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2724-223-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4584-231-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/616-239-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2588-243-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2588-247-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2708-253-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4804-256-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4804-260-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4432-266-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1740-272-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1596-278-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4596-284-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/5108-290-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4912-296-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4328-302-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1900-308-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3856-314-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3628-320-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3432-326-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4364-332-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4984-338-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3520-344-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1668-350-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2156-356-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2888-362-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1496-368-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4504-374-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3948-380-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/5084-386-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2416-392-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1324-398-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4336-402-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4336-405-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/208-411-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3500-417-0x0000000000400000-0x0000000000463000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 3452 set thread context of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 2332 set thread context of 1216 2332 wiacmfgr.exe 89 PID 1896 set thread context of 1772 1896 wiacmfgr.exe 91 PID 1596 set thread context of 3324 1596 wiacmfgr.exe 97 PID 4232 set thread context of 5044 4232 wiacmfgr.exe 99 PID 1244 set thread context of 3700 1244 wiacmfgr.exe 102 PID 4936 set thread context of 3144 4936 wiacmfgr.exe 105 PID 4320 set thread context of 4308 4320 wiacmfgr.exe 108 PID 3856 set thread context of 2832 3856 wiacmfgr.exe 110 PID 4292 set thread context of 1548 4292 wiacmfgr.exe 112 PID 2168 set thread context of 908 2168 wiacmfgr.exe 114 PID 1832 set thread context of 4384 1832 wiacmfgr.exe 116 PID 5036 set thread context of 2948 5036 wiacmfgr.exe 118 PID 4360 set thread context of 4048 4360 wiacmfgr.exe 120 PID 2100 set thread context of 3712 2100 wiacmfgr.exe 122 PID 1080 set thread context of 620 1080 wiacmfgr.exe 124 PID 2404 set thread context of 1608 2404 wiacmfgr.exe 126 PID 2028 set thread context of 4548 2028 wiacmfgr.exe 129 PID 2232 set thread context of 2112 2232 wiacmfgr.exe 131 PID 4844 set thread context of 3588 4844 wiacmfgr.exe 133 PID 3000 set thread context of 2724 3000 wiacmfgr.exe 135 PID 2772 set thread context of 4584 2772 wiacmfgr.exe 137 PID 4992 set thread context of 616 4992 wiacmfgr.exe 140 PID 1396 set thread context of 2588 1396 wiacmfgr.exe 142 PID 3816 set thread context of 2708 3816 wiacmfgr.exe 144 PID 4800 set thread context of 4804 4800 wiacmfgr.exe 146 PID 2040 set thread context of 4432 2040 wiacmfgr.exe 148 PID 3084 set thread context of 1740 3084 wiacmfgr.exe 150 PID 1484 set thread context of 1596 1484 wiacmfgr.exe 152 PID 4340 set thread context of 4596 4340 wiacmfgr.exe 154 PID 1244 set thread context of 5108 1244 wiacmfgr.exe 156 PID 3280 set thread context of 4912 3280 wiacmfgr.exe 158 PID 2384 set thread context of 4328 2384 wiacmfgr.exe 160 PID 1176 set thread context of 1900 1176 wiacmfgr.exe 162 PID 4396 set thread context of 3856 4396 wiacmfgr.exe 164 PID 2380 set thread context of 3628 2380 wiacmfgr.exe 166 PID 2360 set thread context of 3432 2360 wiacmfgr.exe 168 PID 4356 set thread context of 4364 4356 wiacmfgr.exe 170 PID 4552 set thread context of 4984 4552 wiacmfgr.exe 172 PID 3768 set thread context of 3520 3768 wiacmfgr.exe 174 PID 3392 set thread context of 1668 3392 wiacmfgr.exe 176 PID 2456 set thread context of 2156 2456 wiacmfgr.exe 178 PID 3444 set thread context of 2888 3444 wiacmfgr.exe 180 PID 668 set thread context of 1496 668 wiacmfgr.exe 182 PID 1484 set thread context of 4504 1484 wiacmfgr.exe 184 PID 2904 set thread context of 3948 2904 wiacmfgr.exe 186 PID 3956 set thread context of 5084 3956 wiacmfgr.exe 188 PID 1360 set thread context of 2416 1360 wiacmfgr.exe 190 PID 544 set thread context of 1324 544 wiacmfgr.exe 192 PID 2280 set thread context of 4336 2280 wiacmfgr.exe 194 PID 1920 set thread context of 208 1920 wiacmfgr.exe 196 PID 3188 set thread context of 3500 3188 wiacmfgr.exe 198 PID 508 set thread context of 3488 508 wiacmfgr.exe 200 PID 4636 set thread context of 3884 4636 wiacmfgr.exe 202 PID 1344 set thread context of 3864 1344 wiacmfgr.exe 204 PID 2692 set thread context of 1288 2692 wiacmfgr.exe 206 PID 3924 set thread context of 1988 3924 wiacmfgr.exe 208 PID 4744 set thread context of 5048 4744 wiacmfgr.exe 210 PID 1896 set thread context of 4020 1896 wiacmfgr.exe 212 PID 1996 set thread context of 4604 1996 wiacmfgr.exe 214 PID 4432 set thread context of 2888 4432 wiacmfgr.exe 216 PID 2612 set thread context of 4988 2612 wiacmfgr.exe 218 PID 1636 set thread context of 5028 1636 wiacmfgr.exe 220 PID 1008 set thread context of 3524 1008 wiacmfgr.exe 222 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2448 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 2448 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 1216 wiacmfgr.exe 1216 wiacmfgr.exe 1772 wiacmfgr.exe 1772 wiacmfgr.exe 3324 wiacmfgr.exe 3324 wiacmfgr.exe 5044 wiacmfgr.exe 5044 wiacmfgr.exe 3700 wiacmfgr.exe 3700 wiacmfgr.exe 3144 wiacmfgr.exe 3144 wiacmfgr.exe 4308 wiacmfgr.exe 4308 wiacmfgr.exe 2832 wiacmfgr.exe 2832 wiacmfgr.exe 1548 wiacmfgr.exe 1548 wiacmfgr.exe 908 wiacmfgr.exe 908 wiacmfgr.exe 4384 wiacmfgr.exe 4384 wiacmfgr.exe 2948 wiacmfgr.exe 2948 wiacmfgr.exe 4048 wiacmfgr.exe 4048 wiacmfgr.exe 3712 wiacmfgr.exe 3712 wiacmfgr.exe 620 wiacmfgr.exe 620 wiacmfgr.exe 1608 wiacmfgr.exe 1608 wiacmfgr.exe 4548 wiacmfgr.exe 4548 wiacmfgr.exe 2112 wiacmfgr.exe 2112 wiacmfgr.exe 3588 wiacmfgr.exe 3588 wiacmfgr.exe 2724 wiacmfgr.exe 2724 wiacmfgr.exe 4584 wiacmfgr.exe 4584 wiacmfgr.exe 616 wiacmfgr.exe 616 wiacmfgr.exe 2588 wiacmfgr.exe 2588 wiacmfgr.exe 2708 wiacmfgr.exe 2708 wiacmfgr.exe 4804 wiacmfgr.exe 4804 wiacmfgr.exe 4432 wiacmfgr.exe 4432 wiacmfgr.exe 1740 wiacmfgr.exe 1740 wiacmfgr.exe 1596 wiacmfgr.exe 1596 wiacmfgr.exe 4596 wiacmfgr.exe 4596 wiacmfgr.exe 5108 wiacmfgr.exe 5108 wiacmfgr.exe 4912 wiacmfgr.exe 4912 wiacmfgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 3452 wrote to memory of 2448 3452 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 83 PID 2448 wrote to memory of 2332 2448 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 87 PID 2448 wrote to memory of 2332 2448 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 87 PID 2448 wrote to memory of 2332 2448 dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe 87 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 2332 wrote to memory of 1216 2332 wiacmfgr.exe 89 PID 1216 wrote to memory of 1896 1216 wiacmfgr.exe 90 PID 1216 wrote to memory of 1896 1216 wiacmfgr.exe 90 PID 1216 wrote to memory of 1896 1216 wiacmfgr.exe 90 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1896 wrote to memory of 1772 1896 wiacmfgr.exe 91 PID 1772 wrote to memory of 1596 1772 wiacmfgr.exe 96 PID 1772 wrote to memory of 1596 1772 wiacmfgr.exe 96 PID 1772 wrote to memory of 1596 1772 wiacmfgr.exe 96 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 1596 wrote to memory of 3324 1596 wiacmfgr.exe 97 PID 3324 wrote to memory of 4232 3324 wiacmfgr.exe 98 PID 3324 wrote to memory of 4232 3324 wiacmfgr.exe 98 PID 3324 wrote to memory of 4232 3324 wiacmfgr.exe 98 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 4232 wrote to memory of 5044 4232 wiacmfgr.exe 99 PID 5044 wrote to memory of 1244 5044 wiacmfgr.exe 101 PID 5044 wrote to memory of 1244 5044 wiacmfgr.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dfbc47457506f1f84d558fbbf2ed5ae8_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\DFBC47~1.EXE3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\DFBC47~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3700 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4936 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3144 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4308 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4292 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe21⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe23⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe25⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe27⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4360 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4048 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2100 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3712 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe31⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1080 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:620 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe33⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2028 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4548 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe38⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2112 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe39⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3588 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe42⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe43⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2772 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe44⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe45⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4992 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:616 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe47⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1396 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2588 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe49⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2708 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe51⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4800 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4804 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe53⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4432 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe55⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3084 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1740 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe57⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1596 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe59⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4340 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4596 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe61⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1244 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5108 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe63⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe65⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2384 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe67⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1176 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe68⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe69⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe70⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe71⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe72⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe73⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2360 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe74⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe75⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe76⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe77⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe79⤵
- Suspicious use of SetThreadContext
PID:3768 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe80⤵
- Checks computer location settings
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe81⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe82⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe83⤵
- Suspicious use of SetThreadContext
PID:2456 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe84⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe85⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3444 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe86⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe87⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe88⤵
- Checks computer location settings
PID:1496 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe89⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe90⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe91⤵
- Suspicious use of SetThreadContext
PID:2904 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe92⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe93⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe94⤵
- Checks computer location settings
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe95⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1360 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe96⤵
- Checks computer location settings
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe97⤵
- Suspicious use of SetThreadContext
PID:544 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe99⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe101⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1920 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe102⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:208 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe103⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe105⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:508 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe106⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe107⤵
- Suspicious use of SetThreadContext
PID:4636 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe108⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe109⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1344 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:3864 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe111⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2692 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe112⤵
- Checks computer location settings
PID:1288 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe113⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3924 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe114⤵
- Checks computer location settings
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe115⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4744 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe117⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1896 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe118⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe119⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1996 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe120⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe121⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-