metasploit | f350e00e97d748de5e1595792cc07c99407627072cca7fe8bd978dd16239e3a9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Size

149KB
MD5

d1b8900805471d9d106ccf8651bbf8ad
SHA1

acf8b4c425d0db4e52c9833003dc29cc74a583bf
SHA256

f350e00e97d748de5e1595792cc07c99407627072cca7fe8bd978dd16239e3a9
SHA512

e22e89e897fb7f777b4636e8b14029a75a66e741e8dc8728fe43897719ec06711cc6a5ceef8b82ccae096b0b537381d18a2567fc59aabfeac0a8777bca73176a
SSDEEP

3072:9CVkpg1OuoltBjPtwkDPkp+0maXtu5yv70Lec7cL3SUZrK373o:9QsflDjtwQMVtuk70Le1S2ao

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmisrmgi.exe

Deletes itself 1 IoCs

pid	Process
2188	wmisrmgi.exe

Executes dropped EXE 60 IoCs

pid	Process
2020	wmisrmgi.exe
2188	wmisrmgi.exe
2616	wmisrmgi.exe
3100	wmisrmgi.exe
4088	wmisrmgi.exe
1496	wmisrmgi.exe
1648	wmisrmgi.exe
2864	wmisrmgi.exe
1204	wmisrmgi.exe
2560	wmisrmgi.exe
4276	wmisrmgi.exe
4280	wmisrmgi.exe
2256	wmisrmgi.exe
3040	wmisrmgi.exe
2312	wmisrmgi.exe
1500	wmisrmgi.exe
3500	wmisrmgi.exe
4796	wmisrmgi.exe
4052	wmisrmgi.exe
3884	wmisrmgi.exe
1096	wmisrmgi.exe
3712	wmisrmgi.exe
384	wmisrmgi.exe
4556	wmisrmgi.exe
4956	wmisrmgi.exe
2436	wmisrmgi.exe
5044	wmisrmgi.exe
5080	wmisrmgi.exe
2964	wmisrmgi.exe
4120	wmisrmgi.exe
1348	wmisrmgi.exe
616	wmisrmgi.exe
2024	wmisrmgi.exe
2072	wmisrmgi.exe
5112	wmisrmgi.exe
2084	wmisrmgi.exe
1188	wmisrmgi.exe
3064	wmisrmgi.exe
4564	wmisrmgi.exe
456	wmisrmgi.exe
1424	wmisrmgi.exe
4680	wmisrmgi.exe
1736	wmisrmgi.exe
1512	wmisrmgi.exe
4460	wmisrmgi.exe
3084	wmisrmgi.exe
1520	wmisrmgi.exe
1148	wmisrmgi.exe
1940	wmisrmgi.exe
3264	wmisrmgi.exe
4088	wmisrmgi.exe
4172	wmisrmgi.exe
4476	wmisrmgi.exe
5028	wmisrmgi.exe
2444	wmisrmgi.exe
4568	wmisrmgi.exe
428	wmisrmgi.exe
4700	wmisrmgi.exe
540	wmisrmgi.exe
4140	wmisrmgi.exe

Maps connected drives based on registry 3 TTPs 62 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmisrmgi.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File opened for modification	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe
File created	C:\Windows\SysWOW64\wmisrmgi.exe	wmisrmgi.exe

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 2020 set thread context of 2188	2020	wmisrmgi.exe	86
PID 2616 set thread context of 3100	2616	wmisrmgi.exe	92
PID 4088 set thread context of 1496	4088	wmisrmgi.exe	98
PID 1648 set thread context of 2864	1648	wmisrmgi.exe	104
PID 1204 set thread context of 2560	1204	wmisrmgi.exe	106
PID 4276 set thread context of 4280	4276	wmisrmgi.exe	108
PID 2256 set thread context of 3040	2256	wmisrmgi.exe	113
PID 2312 set thread context of 1500	2312	wmisrmgi.exe	115
PID 3500 set thread context of 4796	3500	wmisrmgi.exe	117
PID 4052 set thread context of 3884	4052	wmisrmgi.exe	119
PID 1096 set thread context of 3712	1096	wmisrmgi.exe	121
PID 384 set thread context of 4556	384	wmisrmgi.exe	123
PID 4956 set thread context of 2436	4956	wmisrmgi.exe	126
PID 5044 set thread context of 5080	5044	wmisrmgi.exe	128
PID 2964 set thread context of 4120	2964	wmisrmgi.exe	130
PID 1348 set thread context of 616	1348	wmisrmgi.exe	132
PID 2024 set thread context of 2072	2024	wmisrmgi.exe	134
PID 5112 set thread context of 2084	5112	wmisrmgi.exe	136
PID 1188 set thread context of 3064	1188	wmisrmgi.exe	138
PID 4564 set thread context of 456	4564	wmisrmgi.exe	140
PID 1424 set thread context of 4680	1424	wmisrmgi.exe	142
PID 1736 set thread context of 1512	1736	wmisrmgi.exe	144
PID 4460 set thread context of 3084	4460	wmisrmgi.exe	146
PID 1520 set thread context of 1148	1520	wmisrmgi.exe	148
PID 1940 set thread context of 3264	1940	wmisrmgi.exe	150
PID 4088 set thread context of 4172	4088	wmisrmgi.exe	152
PID 4476 set thread context of 5028	4476	wmisrmgi.exe	154
PID 2444 set thread context of 4568	2444	wmisrmgi.exe	156
PID 428 set thread context of 4700	428	wmisrmgi.exe	158
PID 540 set thread context of 4140	540	wmisrmgi.exe	160

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2400-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2400-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2400-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2400-38-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2188-44-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2188-47-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3100-53-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3100-55-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1496-62-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2864-69-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2560-76-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4280-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3040-90-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1500-96-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4796-103-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3884-111-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3712-118-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4556-127-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2436-136-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5080-144-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4120-152-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/616-160-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2072-168-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2084-176-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3064-184-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/456-188-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/456-193-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4680-202-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1512-209-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3084-215-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1148-221-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3264-227-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4172-233-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5028-239-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4568-245-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4700-251-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrmgi.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmisrmgi.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2400	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
2400	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
2188	wmisrmgi.exe
2188	wmisrmgi.exe
3100	wmisrmgi.exe
3100	wmisrmgi.exe
1496	wmisrmgi.exe
1496	wmisrmgi.exe
2864	wmisrmgi.exe
2864	wmisrmgi.exe
2560	wmisrmgi.exe
2560	wmisrmgi.exe
4280	wmisrmgi.exe
4280	wmisrmgi.exe
3040	wmisrmgi.exe
3040	wmisrmgi.exe
1500	wmisrmgi.exe
1500	wmisrmgi.exe
4796	wmisrmgi.exe
4796	wmisrmgi.exe
3884	wmisrmgi.exe
3884	wmisrmgi.exe
3712	wmisrmgi.exe
3712	wmisrmgi.exe
4556	wmisrmgi.exe
4556	wmisrmgi.exe
2436	wmisrmgi.exe
2436	wmisrmgi.exe
5080	wmisrmgi.exe
5080	wmisrmgi.exe
4120	wmisrmgi.exe
4120	wmisrmgi.exe
616	wmisrmgi.exe
616	wmisrmgi.exe
2072	wmisrmgi.exe
2072	wmisrmgi.exe
2084	wmisrmgi.exe
2084	wmisrmgi.exe
3064	wmisrmgi.exe
3064	wmisrmgi.exe
456	wmisrmgi.exe
456	wmisrmgi.exe
4680	wmisrmgi.exe
4680	wmisrmgi.exe
1512	wmisrmgi.exe
1512	wmisrmgi.exe
3084	wmisrmgi.exe
3084	wmisrmgi.exe
1148	wmisrmgi.exe
1148	wmisrmgi.exe
3264	wmisrmgi.exe
3264	wmisrmgi.exe
4172	wmisrmgi.exe
4172	wmisrmgi.exe
5028	wmisrmgi.exe
5028	wmisrmgi.exe
4568	wmisrmgi.exe
4568	wmisrmgi.exe
4700	wmisrmgi.exe
4700	wmisrmgi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 4508 wrote to memory of 2400	4508	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	83
PID 2400 wrote to memory of 2020	2400	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	85
PID 2400 wrote to memory of 2020	2400	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	85
PID 2400 wrote to memory of 2020	2400	d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe	85
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2020 wrote to memory of 2188	2020	wmisrmgi.exe	86
PID 2188 wrote to memory of 2616	2188	wmisrmgi.exe	89
PID 2188 wrote to memory of 2616	2188	wmisrmgi.exe	89
PID 2188 wrote to memory of 2616	2188	wmisrmgi.exe	89
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 2616 wrote to memory of 3100	2616	wmisrmgi.exe	92
PID 3100 wrote to memory of 4088	3100	wmisrmgi.exe	97
PID 3100 wrote to memory of 4088	3100	wmisrmgi.exe	97
PID 3100 wrote to memory of 4088	3100	wmisrmgi.exe	97
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 4088 wrote to memory of 1496	4088	wmisrmgi.exe	98
PID 1496 wrote to memory of 1648	1496	wmisrmgi.exe	103
PID 1496 wrote to memory of 1648	1496	wmisrmgi.exe	103
PID 1496 wrote to memory of 1648	1496	wmisrmgi.exe	103
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 1648 wrote to memory of 2864	1648	wmisrmgi.exe	104
PID 2864 wrote to memory of 1204	2864	wmisrmgi.exe	105
PID 2864 wrote to memory of 1204	2864	wmisrmgi.exe	105
PID 2864 wrote to memory of 1204	2864	wmisrmgi.exe	105
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 1204 wrote to memory of 2560	1204	wmisrmgi.exe	106
PID 2560 wrote to memory of 4276	2560	wmisrmgi.exe	107
PID 2560 wrote to memory of 4276	2560	wmisrmgi.exe	107
PID 2560 wrote to memory of 4276	2560	wmisrmgi.exe	107
PID 4276 wrote to memory of 4280	4276	wmisrmgi.exe	108
PID 4276 wrote to memory of 4280	4276	wmisrmgi.exe	108
PID 4276 wrote to memory of 4280	4276	wmisrmgi.exe	108
PID 4276 wrote to memory of 4280	4276	wmisrmgi.exe	108

C:\Users\Admin\AppData\Local\Temp\d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d1b8900805471d9d106ccf8651bbf8ad_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\wmisrmgi.exe
    "C:\Windows\system32\wmisrmgi.exe" C:\Users\Admin\AppData\Local\Temp\D1B890~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\wmisrmgi.exe
      "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Users\Admin\AppData\Local\Temp\D1B890~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4280
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3712
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4556
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4120
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:456
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3084
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1148
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3264
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4172
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\system32\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\wmisrmgi.exe
        
        "C:\Windows\SysWOW64\wmisrmgi.exe" C:\Windows\SysWOW64\wmisrmgi.exe
        62⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmisrmgi.exe

Filesize
149KB

MD5
d1b8900805471d9d106ccf8651bbf8ad

SHA1
acf8b4c425d0db4e52c9833003dc29cc74a583bf

SHA256
f350e00e97d748de5e1595792cc07c99407627072cca7fe8bd978dd16239e3a9

SHA512
e22e89e897fb7f777b4636e8b14029a75a66e741e8dc8728fe43897719ec06711cc6a5ceef8b82ccae096b0b537381d18a2567fc59aabfeac0a8777bca73176a

Download Submit
memory/456-188-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/456-193-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/616-160-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1148-221-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1496-62-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1500-96-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1512-209-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2072-168-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2084-176-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2188-44-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2188-47-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-38-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2436-136-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2560-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2864-69-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3040-90-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3064-184-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3084-215-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3100-55-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3100-53-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3264-227-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3712-118-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3884-111-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4120-152-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4172-233-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4280-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4556-127-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4568-245-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4680-202-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4700-251-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4796-103-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5028-239-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5080-144-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download