metasploit | c57f93ef59e128b92725fa21ea639eef5762db792fd5d9f408a439de976f7573

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
Size

142KB
MD5

a28b528c73a2e5e06b5b535db03b9132
SHA1

6b54ee539c8aacdb7b9cd5f6656977019e4c834e
SHA256

c57f93ef59e128b92725fa21ea639eef5762db792fd5d9f408a439de976f7573
SHA512

485e1ad7ac5781a36ade8e6c233d76c97c723790a3a9c7c817b307023a77d05f295e9933ad9a6da3ef309f4c93acb04102ea2013f62d24c1a33f5fca395a09d4
SSDEEP

3072:9N4+69jpWSbgg8LFBAXmlwpqUFCYKwi5s/b:/47jFEgYnA7D1iM

Score

10^/10

metasploit backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2640	wiacmfgr.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	wiacmfgr.exe
2640	wiacmfgr.exe
2568	wiacmfgr.exe
2548	wiacmfgr.exe
576	wiacmfgr.exe
620	wiacmfgr.exe
2220	wiacmfgr.exe
1312	wiacmfgr.exe
2492	wiacmfgr.exe
2820	wiacmfgr.exe
1880	wiacmfgr.exe
2860	wiacmfgr.exe
2036	wiacmfgr.exe
472	wiacmfgr.exe
2148	wiacmfgr.exe
2744	wiacmfgr.exe
2940	wiacmfgr.exe
2280	wiacmfgr.exe
2856	wiacmfgr.exe
1724	wiacmfgr.exe
3052	wiacmfgr.exe
680	wiacmfgr.exe
2452	wiacmfgr.exe
2064	wiacmfgr.exe
2456	wiacmfgr.exe
2032	wiacmfgr.exe
2776	wiacmfgr.exe
2792	wiacmfgr.exe
1644	wiacmfgr.exe
2256	wiacmfgr.exe
1052	wiacmfgr.exe
2100	wiacmfgr.exe
1180	wiacmfgr.exe
2128	wiacmfgr.exe
2152	wiacmfgr.exe
1472	wiacmfgr.exe
2340	wiacmfgr.exe
1344	wiacmfgr.exe
1792	wiacmfgr.exe
3012	wiacmfgr.exe
2036	wiacmfgr.exe
2932	wiacmfgr.exe
1984	wiacmfgr.exe
2092	wiacmfgr.exe
800	wiacmfgr.exe
444	wiacmfgr.exe
1300	wiacmfgr.exe
692	wiacmfgr.exe
1736	wiacmfgr.exe
1732	wiacmfgr.exe
2968	wiacmfgr.exe
376	wiacmfgr.exe
2444	wiacmfgr.exe
2296	wiacmfgr.exe
2756	wiacmfgr.exe
2752	wiacmfgr.exe
2660	wiacmfgr.exe
1220	wiacmfgr.exe
2504	wiacmfgr.exe
3000	wiacmfgr.exe
1456	wiacmfgr.exe
1804	wiacmfgr.exe
2224	wiacmfgr.exe
2132	wiacmfgr.exe

Loads dropped DLL 64 IoCs

pid	Process
1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
2640	wiacmfgr.exe
2640	wiacmfgr.exe
2548	wiacmfgr.exe
2548	wiacmfgr.exe
620	wiacmfgr.exe
620	wiacmfgr.exe
1312	wiacmfgr.exe
1312	wiacmfgr.exe
2820	wiacmfgr.exe
2820	wiacmfgr.exe
2860	wiacmfgr.exe
2860	wiacmfgr.exe
472	wiacmfgr.exe
472	wiacmfgr.exe
2744	wiacmfgr.exe
2744	wiacmfgr.exe
2280	wiacmfgr.exe
2280	wiacmfgr.exe
1724	wiacmfgr.exe
1724	wiacmfgr.exe
680	wiacmfgr.exe
680	wiacmfgr.exe
2064	wiacmfgr.exe
2064	wiacmfgr.exe
2032	wiacmfgr.exe
2032	wiacmfgr.exe
2792	wiacmfgr.exe
2792	wiacmfgr.exe
2256	wiacmfgr.exe
2256	wiacmfgr.exe
2100	wiacmfgr.exe
2100	wiacmfgr.exe
2128	wiacmfgr.exe
2128	wiacmfgr.exe
1472	wiacmfgr.exe
1472	wiacmfgr.exe
1344	wiacmfgr.exe
1344	wiacmfgr.exe
3012	wiacmfgr.exe
3012	wiacmfgr.exe
2932	wiacmfgr.exe
2932	wiacmfgr.exe
2092	wiacmfgr.exe
2092	wiacmfgr.exe
444	wiacmfgr.exe
444	wiacmfgr.exe
692	wiacmfgr.exe
692	wiacmfgr.exe
1732	wiacmfgr.exe
1732	wiacmfgr.exe
376	wiacmfgr.exe
376	wiacmfgr.exe
2296	wiacmfgr.exe
2296	wiacmfgr.exe
2752	wiacmfgr.exe
2752	wiacmfgr.exe
1220	wiacmfgr.exe
1220	wiacmfgr.exe
3000	wiacmfgr.exe
3000	wiacmfgr.exe
1804	wiacmfgr.exe
1804	wiacmfgr.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiacmfgr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2924 set thread context of 2640	2924	wiacmfgr.exe	32
PID 2568 set thread context of 2548	2568	wiacmfgr.exe	34
PID 576 set thread context of 620	576	wiacmfgr.exe	36
PID 2220 set thread context of 1312	2220	wiacmfgr.exe	38
PID 2492 set thread context of 2820	2492	wiacmfgr.exe	40
PID 1880 set thread context of 2860	1880	wiacmfgr.exe	42
PID 2036 set thread context of 472	2036	wiacmfgr.exe	44
PID 2148 set thread context of 2744	2148	wiacmfgr.exe	46
PID 2940 set thread context of 2280	2940	wiacmfgr.exe	48
PID 2856 set thread context of 1724	2856	wiacmfgr.exe	50
PID 3052 set thread context of 680	3052	wiacmfgr.exe	52
PID 2452 set thread context of 2064	2452	wiacmfgr.exe	54
PID 2456 set thread context of 2032	2456	wiacmfgr.exe	56
PID 2776 set thread context of 2792	2776	wiacmfgr.exe	59
PID 1644 set thread context of 2256	1644	wiacmfgr.exe	61
PID 1052 set thread context of 2100	1052	wiacmfgr.exe	63
PID 1180 set thread context of 2128	1180	wiacmfgr.exe	65
PID 2152 set thread context of 1472	2152	wiacmfgr.exe	67
PID 2340 set thread context of 1344	2340	wiacmfgr.exe	69
PID 1792 set thread context of 3012	1792	wiacmfgr.exe	71
PID 2036 set thread context of 2932	2036	wiacmfgr.exe	73
PID 1984 set thread context of 2092	1984	wiacmfgr.exe	75
PID 800 set thread context of 444	800	wiacmfgr.exe	77
PID 1300 set thread context of 692	1300	wiacmfgr.exe	79
PID 1736 set thread context of 1732	1736	wiacmfgr.exe	81
PID 2968 set thread context of 376	2968	wiacmfgr.exe	83
PID 2444 set thread context of 2296	2444	wiacmfgr.exe	85
PID 2756 set thread context of 2752	2756	wiacmfgr.exe	87
PID 2660 set thread context of 1220	2660	wiacmfgr.exe	89
PID 2504 set thread context of 3000	2504	wiacmfgr.exe	91
PID 1456 set thread context of 1804	1456	wiacmfgr.exe	93
PID 2224 set thread context of 2132	2224	wiacmfgr.exe	95
PID 2700 set thread context of 2712	2700	wiacmfgr.exe	97
PID 1660 set thread context of 2832	1660	wiacmfgr.exe	99
PID 1292 set thread context of 2016	1292	wiacmfgr.exe	101
PID 2020 set thread context of 2228	2020	wiacmfgr.exe	103
PID 2140 set thread context of 1984	2140	wiacmfgr.exe	105
PID 2288 set thread context of 2088	2288	wiacmfgr.exe	107
PID 1588 set thread context of 752	1588	wiacmfgr.exe	109
PID 1708 set thread context of 1736	1708	wiacmfgr.exe	111
PID 2284 set thread context of 2984	2284	wiacmfgr.exe	113
PID 1056 set thread context of 1680	1056	wiacmfgr.exe	115
PID 1072 set thread context of 2428	1072	wiacmfgr.exe	117
PID 1836 set thread context of 2516	1836	wiacmfgr.exe	119
PID 2996 set thread context of 1620	2996	wiacmfgr.exe	121
PID 2376 set thread context of 1936	2376	wiacmfgr.exe	123
PID 2740 set thread context of 2864	2740	wiacmfgr.exe	125
PID 1152 set thread context of 2604	1152	wiacmfgr.exe	127
PID 2324 set thread context of 344	2324	wiacmfgr.exe	129
PID 2904 set thread context of 2416	2904	wiacmfgr.exe	131
PID 2688 set thread context of 1892	2688	wiacmfgr.exe	133
PID 1884 set thread context of 3056	1884	wiacmfgr.exe	135
PID 1768 set thread context of 2076	1768	wiacmfgr.exe	137
PID 1332 set thread context of 1580	1332	wiacmfgr.exe	139
PID 1552 set thread context of 2368	1552	wiacmfgr.exe	141
PID 2964 set thread context of 2976	2964	wiacmfgr.exe	143
PID 2436 set thread context of 1056	2436	wiacmfgr.exe	145
PID 2156 set thread context of 2512	2156	wiacmfgr.exe	147
PID 2500 set thread context of 2524	2500	wiacmfgr.exe	149
PID 756 set thread context of 2992	756	wiacmfgr.exe	151
PID 1016 set thread context of 2124	1016	wiacmfgr.exe	153
PID 2224 set thread context of 2740	2224	wiacmfgr.exe	155
PID 1968 set thread context of 1152	1968	wiacmfgr.exe	157

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1796-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1796-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1796-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1796-20-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2640-27-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2640-28-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2640-33-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2548-40-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2548-41-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2548-39-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2548-48-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/620-54-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/620-55-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/620-59-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1312-73-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2820-86-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2860-100-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/472-113-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2744-118-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2744-127-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2280-135-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2280-142-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1724-150-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1724-156-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/680-169-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2064-178-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2064-184-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2032-190-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2032-201-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2792-211-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2256-217-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2256-221-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2100-230-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2128-239-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1472-248-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1344-257-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3012-259-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3012-267-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2932-270-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2932-277-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2092-286-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/444-295-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/692-304-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1732-313-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/376-322-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2296-331-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2752-340-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1220-349-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3000-358-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1804-367-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-376-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2712-385-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2832-394-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2016-403-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2228-412-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1984-421-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2088-430-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/752-439-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1736-448-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2984-457-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1680-466-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2428-475-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2516-484-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
2640	wiacmfgr.exe
2548	wiacmfgr.exe
620	wiacmfgr.exe
1312	wiacmfgr.exe
2820	wiacmfgr.exe
2860	wiacmfgr.exe
472	wiacmfgr.exe
2744	wiacmfgr.exe
2280	wiacmfgr.exe
1724	wiacmfgr.exe
680	wiacmfgr.exe
2064	wiacmfgr.exe
2792	wiacmfgr.exe
2256	wiacmfgr.exe
2100	wiacmfgr.exe
2128	wiacmfgr.exe
1472	wiacmfgr.exe
1344	wiacmfgr.exe
3012	wiacmfgr.exe
2932	wiacmfgr.exe
2092	wiacmfgr.exe
444	wiacmfgr.exe
692	wiacmfgr.exe
1732	wiacmfgr.exe
376	wiacmfgr.exe
2296	wiacmfgr.exe
2752	wiacmfgr.exe
1220	wiacmfgr.exe
3000	wiacmfgr.exe
1804	wiacmfgr.exe
2132	wiacmfgr.exe
2712	wiacmfgr.exe
2832	wiacmfgr.exe
2016	wiacmfgr.exe
2228	wiacmfgr.exe
1984	wiacmfgr.exe
2088	wiacmfgr.exe
752	wiacmfgr.exe
1736	wiacmfgr.exe
2984	wiacmfgr.exe
1680	wiacmfgr.exe
2428	wiacmfgr.exe
2516	wiacmfgr.exe
1620	wiacmfgr.exe
1936	wiacmfgr.exe
2864	wiacmfgr.exe
2604	wiacmfgr.exe
344	wiacmfgr.exe
2416	wiacmfgr.exe
1892	wiacmfgr.exe
3056	wiacmfgr.exe
2076	wiacmfgr.exe
1580	wiacmfgr.exe
2368	wiacmfgr.exe
2976	wiacmfgr.exe
1056	wiacmfgr.exe
2512	wiacmfgr.exe
2524	wiacmfgr.exe
2992	wiacmfgr.exe
2124	wiacmfgr.exe
2740	wiacmfgr.exe
1152	wiacmfgr.exe
2272	wiacmfgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 2200 wrote to memory of 1796	2200	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	30
PID 1796 wrote to memory of 2924	1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2924	1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2924	1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2924	1796	a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2924 wrote to memory of 2640	2924	wiacmfgr.exe	32
PID 2640 wrote to memory of 2568	2640	wiacmfgr.exe	33
PID 2640 wrote to memory of 2568	2640	wiacmfgr.exe	33
PID 2640 wrote to memory of 2568	2640	wiacmfgr.exe	33
PID 2640 wrote to memory of 2568	2640	wiacmfgr.exe	33
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2568 wrote to memory of 2548	2568	wiacmfgr.exe	34
PID 2548 wrote to memory of 576	2548	wiacmfgr.exe	35
PID 2548 wrote to memory of 576	2548	wiacmfgr.exe	35
PID 2548 wrote to memory of 576	2548	wiacmfgr.exe	35
PID 2548 wrote to memory of 576	2548	wiacmfgr.exe	35
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 576 wrote to memory of 620	576	wiacmfgr.exe	36
PID 620 wrote to memory of 2220	620	wiacmfgr.exe	37
PID 620 wrote to memory of 2220	620	wiacmfgr.exe	37
PID 620 wrote to memory of 2220	620	wiacmfgr.exe	37
PID 620 wrote to memory of 2220	620	wiacmfgr.exe	37
PID 2220 wrote to memory of 1312	2220	wiacmfgr.exe	38
PID 2220 wrote to memory of 1312	2220	wiacmfgr.exe	38
PID 2220 wrote to memory of 1312	2220	wiacmfgr.exe	38
PID 2220 wrote to memory of 1312	2220	wiacmfgr.exe	38

C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\wiacmfgr.exe
    "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\A28B52~1.EXE
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\wiacmfgr.exe
      "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\A28B52~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        11⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1880
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        15⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2036
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:472
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        17⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2148
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        21⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2856
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        23⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:680
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2452
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        27⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2456
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2032
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        29⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2776
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1644
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        33⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1052
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2152
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        39⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2340
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1792
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        45⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1984
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        47⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1300
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        51⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1736
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        53⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2968
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:376
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        55⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        57⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2756
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        59⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2660
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1456
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        65⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        67⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        68⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        69⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        71⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1292
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        72⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        73⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        75⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        76⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        77⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2288
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        78⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        79⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1588
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        81⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1708
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        83⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        85⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1056
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        86⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        87⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1072
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        88⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        89⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        90⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2996
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        93⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        94⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        95⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2740
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        97⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1152
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        98⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        99⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        100⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        101⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2904
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        103⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        105⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1884
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        106⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        107⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1768
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        108⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        109⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1332
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        110⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        111⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        112⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2964
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        114⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        117⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2156
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        119⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:2500
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        120⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        121⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:756
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        123⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        
        PID:1016
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        124⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        125⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        126⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        127⤵
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        128⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        129⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        130⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        131⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        132⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        133⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        134⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        135⤵
        Checks whether UAC is enabled
        
        PID:2148
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        137⤵
        Checks whether UAC is enabled
        
        PID:2940
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        138⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        140⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        141⤵
        Checks whether UAC is enabled
        
        PID:1616
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        143⤵
        Checks whether UAC is enabled
        
        PID:2452
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        144⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        145⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        146⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        147⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wiacmfgr.exe

Filesize
142KB

MD5
a28b528c73a2e5e06b5b535db03b9132

SHA1
6b54ee539c8aacdb7b9cd5f6656977019e4c834e

SHA256
c57f93ef59e128b92725fa21ea639eef5762db792fd5d9f408a439de976f7573

SHA512
485e1ad7ac5781a36ade8e6c233d76c97c723790a3a9c7c817b307023a77d05f295e9933ad9a6da3ef309f4c93acb04102ea2013f62d24c1a33f5fca395a09d4

Download Submit
memory/344-529-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/376-322-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/444-295-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/472-113-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/620-55-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/620-59-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/620-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/680-169-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/692-304-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/752-439-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1056-601-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1064-727-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1072-736-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1152-655-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1220-349-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1272-673-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1312-73-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1344-257-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1472-248-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1520-709-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1580-574-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1600-700-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1620-493-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1680-466-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1708-718-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1724-150-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1724-156-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1732-313-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1736-448-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1796-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1796-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1796-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1796-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1796-20-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1796-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1804-367-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1892-547-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1936-502-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1984-421-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2016-403-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2032-201-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2032-190-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2064-178-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2064-184-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2076-565-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-430-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2092-286-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2100-230-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2124-637-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2128-239-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-376-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2228-412-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2256-217-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2256-221-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2272-664-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2280-135-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2280-142-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2296-331-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2300-691-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2368-583-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2416-538-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2428-475-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2512-610-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2516-484-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-619-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-48-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-41-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-40-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-39-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2604-520-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2640-28-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2640-27-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2640-33-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2648-682-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2712-385-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2740-646-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2744-127-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2744-118-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2752-340-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2792-211-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2820-86-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2832-394-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2860-100-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2864-511-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2932-277-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2932-270-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2976-592-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2984-457-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2992-628-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3000-358-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3012-259-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3012-267-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3056-556-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download