Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 14:54
Static task
static1
Behavioral task
behavioral1
Sample
a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
-
Size
142KB
-
MD5
a28b528c73a2e5e06b5b535db03b9132
-
SHA1
6b54ee539c8aacdb7b9cd5f6656977019e4c834e
-
SHA256
c57f93ef59e128b92725fa21ea639eef5762db792fd5d9f408a439de976f7573
-
SHA512
485e1ad7ac5781a36ade8e6c233d76c97c723790a3a9c7c817b307023a77d05f295e9933ad9a6da3ef309f4c93acb04102ea2013f62d24c1a33f5fca395a09d4
-
SSDEEP
3072:9N4+69jpWSbgg8LFBAXmlwpqUFCYKwi5s/b:/47jFEgYnA7D1iM
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wiacmfgr.exe -
Deletes itself 1 IoCs
pid Process 1880 wiacmfgr.exe -
Executes dropped EXE 64 IoCs
pid Process 1108 wiacmfgr.exe 1880 wiacmfgr.exe 2864 wiacmfgr.exe 2152 wiacmfgr.exe 2200 wiacmfgr.exe 1804 wiacmfgr.exe 2212 wiacmfgr.exe 1100 wiacmfgr.exe 1288 wiacmfgr.exe 3964 wiacmfgr.exe 2804 wiacmfgr.exe 1792 wiacmfgr.exe 1424 wiacmfgr.exe 3108 wiacmfgr.exe 4376 wiacmfgr.exe 1340 wiacmfgr.exe 1448 wiacmfgr.exe 3352 wiacmfgr.exe 408 wiacmfgr.exe 2680 wiacmfgr.exe 400 wiacmfgr.exe 3524 wiacmfgr.exe 5108 wiacmfgr.exe 4612 wiacmfgr.exe 744 wiacmfgr.exe 4692 wiacmfgr.exe 3240 wiacmfgr.exe 4936 wiacmfgr.exe 3912 wiacmfgr.exe 2064 wiacmfgr.exe 3708 wiacmfgr.exe 1108 wiacmfgr.exe 1464 wiacmfgr.exe 3056 wiacmfgr.exe 2044 wiacmfgr.exe 732 wiacmfgr.exe 1520 wiacmfgr.exe 3888 wiacmfgr.exe 2944 wiacmfgr.exe 1496 wiacmfgr.exe 4828 wiacmfgr.exe 4820 wiacmfgr.exe 1640 wiacmfgr.exe 3556 wiacmfgr.exe 3212 wiacmfgr.exe 4248 wiacmfgr.exe 1448 wiacmfgr.exe 2248 wiacmfgr.exe 408 wiacmfgr.exe 2028 wiacmfgr.exe 2908 wiacmfgr.exe 5072 wiacmfgr.exe 4636 wiacmfgr.exe 4436 wiacmfgr.exe 4916 wiacmfgr.exe 1512 wiacmfgr.exe 3900 wiacmfgr.exe 3448 wiacmfgr.exe 2380 wiacmfgr.exe 4188 wiacmfgr.exe 3052 wiacmfgr.exe 4380 wiacmfgr.exe 2564 wiacmfgr.exe 3724 wiacmfgr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wiacmfgr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File opened for modification C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe File created C:\Windows\SysWOW64\wiacmfgr.exe wiacmfgr.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 4692 set thread context of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 1108 set thread context of 1880 1108 wiacmfgr.exe 84 PID 2864 set thread context of 2152 2864 wiacmfgr.exe 88 PID 2200 set thread context of 1804 2200 wiacmfgr.exe 92 PID 2212 set thread context of 1100 2212 wiacmfgr.exe 95 PID 1288 set thread context of 3964 1288 wiacmfgr.exe 97 PID 2804 set thread context of 1792 2804 wiacmfgr.exe 101 PID 1424 set thread context of 3108 1424 wiacmfgr.exe 103 PID 4376 set thread context of 1340 4376 wiacmfgr.exe 105 PID 1448 set thread context of 3352 1448 wiacmfgr.exe 107 PID 408 set thread context of 2680 408 wiacmfgr.exe 109 PID 400 set thread context of 3524 400 wiacmfgr.exe 111 PID 5108 set thread context of 4612 5108 wiacmfgr.exe 113 PID 744 set thread context of 4692 744 wiacmfgr.exe 115 PID 3240 set thread context of 4936 3240 wiacmfgr.exe 118 PID 3912 set thread context of 2064 3912 wiacmfgr.exe 120 PID 3708 set thread context of 1108 3708 wiacmfgr.exe 122 PID 1464 set thread context of 3056 1464 wiacmfgr.exe 124 PID 2044 set thread context of 732 2044 wiacmfgr.exe 126 PID 1520 set thread context of 3888 1520 wiacmfgr.exe 128 PID 2944 set thread context of 1496 2944 wiacmfgr.exe 131 PID 4828 set thread context of 4820 4828 wiacmfgr.exe 133 PID 1640 set thread context of 3556 1640 wiacmfgr.exe 135 PID 3212 set thread context of 4248 3212 wiacmfgr.exe 137 PID 1448 set thread context of 2248 1448 wiacmfgr.exe 139 PID 408 set thread context of 2028 408 wiacmfgr.exe 141 PID 2908 set thread context of 5072 2908 wiacmfgr.exe 143 PID 4636 set thread context of 4436 4636 wiacmfgr.exe 145 PID 4916 set thread context of 1512 4916 wiacmfgr.exe 147 PID 3900 set thread context of 3448 3900 wiacmfgr.exe 149 PID 2380 set thread context of 4188 2380 wiacmfgr.exe 151 PID 3052 set thread context of 4380 3052 wiacmfgr.exe 153 PID 2564 set thread context of 3724 2564 wiacmfgr.exe 155 PID 3492 set thread context of 5096 3492 wiacmfgr.exe 157 PID 1672 set thread context of 2956 1672 wiacmfgr.exe 159 PID 3496 set thread context of 2060 3496 wiacmfgr.exe 161 PID 4480 set thread context of 1576 4480 wiacmfgr.exe 163 PID 5088 set thread context of 1748 5088 wiacmfgr.exe 165 PID 3940 set thread context of 3032 3940 wiacmfgr.exe 167 PID 3156 set thread context of 1424 3156 wiacmfgr.exe 169 PID 4376 set thread context of 4552 4376 wiacmfgr.exe 171 PID 2324 set thread context of 3176 2324 wiacmfgr.exe 173 PID 3956 set thread context of 2348 3956 wiacmfgr.exe 175 PID 2660 set thread context of 2632 2660 wiacmfgr.exe 177 PID 556 set thread context of 4636 556 wiacmfgr.exe 179 PID 3896 set thread context of 3988 3896 wiacmfgr.exe 181 PID 4624 set thread context of 552 4624 wiacmfgr.exe 183 PID 804 set thread context of 1800 804 wiacmfgr.exe 185 PID 116 set thread context of 1580 116 wiacmfgr.exe 187 PID 3216 set thread context of 2204 3216 wiacmfgr.exe 189 PID 4844 set thread context of 1324 4844 wiacmfgr.exe 191 PID 2760 set thread context of 404 2760 wiacmfgr.exe 193 PID 4360 set thread context of 3892 4360 wiacmfgr.exe 195 PID 2460 set thread context of 4496 2460 wiacmfgr.exe 197 PID 4316 set thread context of 4600 4316 wiacmfgr.exe 199 PID 3940 set thread context of 3276 3940 wiacmfgr.exe 201 PID 3400 set thread context of 4072 3400 wiacmfgr.exe 203 PID 3812 set thread context of 2524 3812 wiacmfgr.exe 205 PID 4528 set thread context of 4724 4528 wiacmfgr.exe 207 PID 2668 set thread context of 3100 2668 wiacmfgr.exe 209 PID 4140 set thread context of 3196 4140 wiacmfgr.exe 211 PID 4452 set thread context of 744 4452 wiacmfgr.exe 213 PID 440 set thread context of 1512 440 wiacmfgr.exe 215 PID 1096 set thread context of 3004 1096 wiacmfgr.exe 217 -
resource yara_rule behavioral2/memory/3620-0-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3620-2-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3620-4-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3620-3-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3620-65-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1880-73-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1880-72-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1880-71-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1880-70-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1880-74-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2152-80-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2152-83-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1804-90-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1100-97-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3964-103-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1792-111-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3108-118-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1340-125-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3352-130-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3352-133-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2680-139-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3524-147-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4612-157-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4692-165-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4936-173-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2064-181-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1108-189-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3056-198-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/732-206-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3888-214-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1496-222-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4820-230-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3556-237-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4248-243-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2248-249-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2028-255-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/5072-261-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4436-267-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1512-273-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3448-279-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4188-285-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4380-291-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3724-297-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/5096-303-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2956-309-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2060-315-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1576-321-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1748-327-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3032-333-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1424-339-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4552-345-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3176-351-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2348-357-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2632-363-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4636-369-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3988-375-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/552-381-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1800-387-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1580-393-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/2204-399-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1324-405-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/404-411-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/3892-417-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4496-423-0x0000000000400000-0x0000000000463000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiacmfgr.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wiacmfgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3620 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 3620 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 1880 wiacmfgr.exe 1880 wiacmfgr.exe 2152 wiacmfgr.exe 2152 wiacmfgr.exe 1804 wiacmfgr.exe 1804 wiacmfgr.exe 1100 wiacmfgr.exe 1100 wiacmfgr.exe 3964 wiacmfgr.exe 3964 wiacmfgr.exe 1792 wiacmfgr.exe 1792 wiacmfgr.exe 3108 wiacmfgr.exe 3108 wiacmfgr.exe 1340 wiacmfgr.exe 1340 wiacmfgr.exe 3352 wiacmfgr.exe 3352 wiacmfgr.exe 2680 wiacmfgr.exe 2680 wiacmfgr.exe 3524 wiacmfgr.exe 3524 wiacmfgr.exe 4612 wiacmfgr.exe 4612 wiacmfgr.exe 4692 wiacmfgr.exe 4692 wiacmfgr.exe 4936 wiacmfgr.exe 4936 wiacmfgr.exe 2064 wiacmfgr.exe 2064 wiacmfgr.exe 1108 wiacmfgr.exe 1108 wiacmfgr.exe 3056 wiacmfgr.exe 3056 wiacmfgr.exe 732 wiacmfgr.exe 732 wiacmfgr.exe 3888 wiacmfgr.exe 3888 wiacmfgr.exe 1496 wiacmfgr.exe 1496 wiacmfgr.exe 4820 wiacmfgr.exe 4820 wiacmfgr.exe 3556 wiacmfgr.exe 3556 wiacmfgr.exe 4248 wiacmfgr.exe 4248 wiacmfgr.exe 2248 wiacmfgr.exe 2248 wiacmfgr.exe 2028 wiacmfgr.exe 2028 wiacmfgr.exe 5072 wiacmfgr.exe 5072 wiacmfgr.exe 4436 wiacmfgr.exe 4436 wiacmfgr.exe 1512 wiacmfgr.exe 1512 wiacmfgr.exe 3448 wiacmfgr.exe 3448 wiacmfgr.exe 4188 wiacmfgr.exe 4188 wiacmfgr.exe 4380 wiacmfgr.exe 4380 wiacmfgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 4692 wrote to memory of 3620 4692 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 82 PID 3620 wrote to memory of 1108 3620 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 83 PID 3620 wrote to memory of 1108 3620 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 83 PID 3620 wrote to memory of 1108 3620 a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe 83 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1108 wrote to memory of 1880 1108 wiacmfgr.exe 84 PID 1880 wrote to memory of 2864 1880 wiacmfgr.exe 87 PID 1880 wrote to memory of 2864 1880 wiacmfgr.exe 87 PID 1880 wrote to memory of 2864 1880 wiacmfgr.exe 87 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2864 wrote to memory of 2152 2864 wiacmfgr.exe 88 PID 2152 wrote to memory of 2200 2152 wiacmfgr.exe 91 PID 2152 wrote to memory of 2200 2152 wiacmfgr.exe 91 PID 2152 wrote to memory of 2200 2152 wiacmfgr.exe 91 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 2200 wrote to memory of 1804 2200 wiacmfgr.exe 92 PID 1804 wrote to memory of 2212 1804 wiacmfgr.exe 94 PID 1804 wrote to memory of 2212 1804 wiacmfgr.exe 94 PID 1804 wrote to memory of 2212 1804 wiacmfgr.exe 94 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 2212 wrote to memory of 1100 2212 wiacmfgr.exe 95 PID 1100 wrote to memory of 1288 1100 wiacmfgr.exe 96 PID 1100 wrote to memory of 1288 1100 wiacmfgr.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\A28B52~1.EXE3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\A28B52~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe11⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3964 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2804 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1792 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3108 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4376 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1340 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe19⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3352 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe21⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2680 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe23⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3524 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe25⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5108 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe27⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:744 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4692 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3240 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4936 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe31⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe33⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1108 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3056 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe37⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2044 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:732 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe39⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1520 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3888 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe41⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2944 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe43⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4828 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4820 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe45⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1640 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3556 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe47⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3212 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4248 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe49⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe51⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2028 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe53⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2908 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5072 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe55⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4636 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe57⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4916 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1512 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe59⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3448 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe61⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2380 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4188 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe63⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4380 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe65⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe67⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe68⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe69⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe70⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe71⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3496 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe72⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe73⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4480 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe74⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe75⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe76⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe77⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3940 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe78⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe79⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3156 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe80⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe81⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4376 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe82⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe83⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2324 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe84⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe85⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe86⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe87⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2660 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe89⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe90⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe91⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3896 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe92⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe93⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe94⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe95⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe96⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe97⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:116 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe98⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe99⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3216 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe100⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe101⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe102⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe103⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe104⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe105⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe106⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe107⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe108⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe109⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4316 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe110⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe111⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe112⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe113⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3400 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe114⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe115⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3812 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe116⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe117⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4528 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe118⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe119⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2668 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe120⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe121⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4140 -
C:\Windows\SysWOW64\wiacmfgr.exe"C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe122⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-