metasploit | b21f11dceea0da86071bc303babe191839fb79325fee5f76c9fe016bc1a12091

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
Size

267KB
MD5

0205ecc7bf826715488e834f07e8eb6c
SHA1

74f7f30baa9e4e2619f2f7c2f793e7dedc20ba0b
SHA256

b21f11dceea0da86071bc303babe191839fb79325fee5f76c9fe016bc1a12091
SHA512

d698313ad10fd7fa9c3dae0d9904239bef001131e53ebf9fad34135476dcce057347c6fcd492c4de5976da616c923becb5c6e2de2fcda94ddc4a4b3594d92ca3
SSDEEP

6144:8QU5I0zbulDodOk/IKNGkcJIoFZIEWOKsS9BY:8bIkbpIKsksrFr8ry

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2924	wiacmfgr.exe

Executes dropped EXE 64 IoCs

pid	Process
2724	wiacmfgr.exe
2924	wiacmfgr.exe
2752	wiacmfgr.exe
2620	wiacmfgr.exe
2852	wiacmfgr.exe
2956	wiacmfgr.exe
2932	wiacmfgr.exe
3016	wiacmfgr.exe
1772	wiacmfgr.exe
2184	wiacmfgr.exe
2368	wiacmfgr.exe
1812	wiacmfgr.exe
2600	wiacmfgr.exe
1180	wiacmfgr.exe
2388	wiacmfgr.exe
1944	wiacmfgr.exe
1140	wiacmfgr.exe
2496	wiacmfgr.exe
2564	wiacmfgr.exe
1664	wiacmfgr.exe
1728	wiacmfgr.exe
2376	wiacmfgr.exe
2296	wiacmfgr.exe
2052	wiacmfgr.exe
2860	wiacmfgr.exe
2784	wiacmfgr.exe
2580	wiacmfgr.exe
1904	wiacmfgr.exe
300	wiacmfgr.exe
2848	wiacmfgr.exe
2948	wiacmfgr.exe
1404	wiacmfgr.exe
1792	wiacmfgr.exe
540	wiacmfgr.exe
1000	wiacmfgr.exe
1892	wiacmfgr.exe
1828	wiacmfgr.exe
2328	wiacmfgr.exe
1084	wiacmfgr.exe
2516	wiacmfgr.exe
892	wiacmfgr.exe
2988	wiacmfgr.exe
2304	wiacmfgr.exe
1956	wiacmfgr.exe
904	wiacmfgr.exe
1640	wiacmfgr.exe
1916	wiacmfgr.exe
2920	wiacmfgr.exe
2196	wiacmfgr.exe
2260	wiacmfgr.exe
2992	wiacmfgr.exe
2860	wiacmfgr.exe
2588	wiacmfgr.exe
2668	wiacmfgr.exe
1152	wiacmfgr.exe
300	wiacmfgr.exe
308	wiacmfgr.exe
1592	wiacmfgr.exe
3028	wiacmfgr.exe
2396	wiacmfgr.exe
2368	wiacmfgr.exe
448	wiacmfgr.exe
1828	wiacmfgr.exe
1268	wiacmfgr.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
2924	wiacmfgr.exe
2924	wiacmfgr.exe
2620	wiacmfgr.exe
2620	wiacmfgr.exe
2956	wiacmfgr.exe
2956	wiacmfgr.exe
3016	wiacmfgr.exe
3016	wiacmfgr.exe
2184	wiacmfgr.exe
2184	wiacmfgr.exe
1812	wiacmfgr.exe
1812	wiacmfgr.exe
1180	wiacmfgr.exe
1180	wiacmfgr.exe
1944	wiacmfgr.exe
1944	wiacmfgr.exe
2496	wiacmfgr.exe
2496	wiacmfgr.exe
1664	wiacmfgr.exe
1664	wiacmfgr.exe
2376	wiacmfgr.exe
2376	wiacmfgr.exe
2052	wiacmfgr.exe
2052	wiacmfgr.exe
2784	wiacmfgr.exe
2784	wiacmfgr.exe
1904	wiacmfgr.exe
1904	wiacmfgr.exe
2848	wiacmfgr.exe
2848	wiacmfgr.exe
1404	wiacmfgr.exe
1404	wiacmfgr.exe
540	wiacmfgr.exe
540	wiacmfgr.exe
1892	wiacmfgr.exe
1892	wiacmfgr.exe
2328	wiacmfgr.exe
2328	wiacmfgr.exe
2516	wiacmfgr.exe
2516	wiacmfgr.exe
2988	wiacmfgr.exe
2988	wiacmfgr.exe
1956	wiacmfgr.exe
1956	wiacmfgr.exe
1640	wiacmfgr.exe
1640	wiacmfgr.exe
2920	wiacmfgr.exe
2920	wiacmfgr.exe
2260	wiacmfgr.exe
2260	wiacmfgr.exe
2860	wiacmfgr.exe
2860	wiacmfgr.exe
2668	wiacmfgr.exe
2668	wiacmfgr.exe
300	wiacmfgr.exe
300	wiacmfgr.exe
1592	wiacmfgr.exe
1592	wiacmfgr.exe
2396	wiacmfgr.exe
2396	wiacmfgr.exe
448	wiacmfgr.exe
448	wiacmfgr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File created	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe
File opened for modification	C:\Windows\SysWOW64\wiacmfgr.exe	wiacmfgr.exe

Suspicious use of SetThreadContext 60 IoCs

description	pid	Process	procid_target
PID 372 set thread context of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 2724 set thread context of 2924	2724	wiacmfgr.exe	33
PID 2752 set thread context of 2620	2752	wiacmfgr.exe	35
PID 2852 set thread context of 2956	2852	wiacmfgr.exe	38
PID 2932 set thread context of 3016	2932	wiacmfgr.exe	40
PID 1772 set thread context of 2184	1772	wiacmfgr.exe	42
PID 2368 set thread context of 1812	2368	wiacmfgr.exe	44
PID 2600 set thread context of 1180	2600	wiacmfgr.exe	46
PID 2388 set thread context of 1944	2388	wiacmfgr.exe	48
PID 1140 set thread context of 2496	1140	wiacmfgr.exe	50
PID 2564 set thread context of 1664	2564	wiacmfgr.exe	52
PID 1728 set thread context of 2376	1728	wiacmfgr.exe	54
PID 2296 set thread context of 2052	2296	wiacmfgr.exe	56
PID 2860 set thread context of 2784	2860	wiacmfgr.exe	58
PID 2580 set thread context of 1904	2580	wiacmfgr.exe	60
PID 300 set thread context of 2848	300	wiacmfgr.exe	62
PID 2948 set thread context of 1404	2948	wiacmfgr.exe	64
PID 1792 set thread context of 540	1792	wiacmfgr.exe	66
PID 1000 set thread context of 1892	1000	wiacmfgr.exe	68
PID 1828 set thread context of 2328	1828	wiacmfgr.exe	70
PID 1084 set thread context of 2516	1084	wiacmfgr.exe	72
PID 892 set thread context of 2988	892	wiacmfgr.exe	74
PID 2304 set thread context of 1956	2304	wiacmfgr.exe	76
PID 904 set thread context of 1640	904	wiacmfgr.exe	78
PID 1916 set thread context of 2920	1916	wiacmfgr.exe	80
PID 2196 set thread context of 2260	2196	wiacmfgr.exe	82
PID 2992 set thread context of 2860	2992	wiacmfgr.exe	84
PID 2588 set thread context of 2668	2588	wiacmfgr.exe	86
PID 1152 set thread context of 300	1152	wiacmfgr.exe	88
PID 308 set thread context of 1592	308	wiacmfgr.exe	90
PID 3028 set thread context of 2396	3028	wiacmfgr.exe	92
PID 2368 set thread context of 448	2368	wiacmfgr.exe	94
PID 1828 set thread context of 1268	1828	wiacmfgr.exe	96
PID 1748 set thread context of 1544	1748	wiacmfgr.exe	98
PID 1312 set thread context of 1576	1312	wiacmfgr.exe	100
PID 1788 set thread context of 1752	1788	wiacmfgr.exe	102
PID 1928 set thread context of 600	1928	wiacmfgr.exe	104
PID 2760 set thread context of 2176	2760	wiacmfgr.exe	106
PID 2744 set thread context of 2640	2744	wiacmfgr.exe	108
PID 2752 set thread context of 2728	2752	wiacmfgr.exe	110
PID 1484 set thread context of 596	1484	wiacmfgr.exe	112
PID 2884 set thread context of 2684	2884	wiacmfgr.exe	114
PID 3024 set thread context of 2948	3024	wiacmfgr.exe	116
PID 860 set thread context of 1776	860	wiacmfgr.exe	118
PID 2364 set thread context of 2712	2364	wiacmfgr.exe	120
PID 1876 set thread context of 1828	1876	wiacmfgr.exe	122
PID 1796 set thread context of 1952	1796	wiacmfgr.exe	124
PID 1708 set thread context of 912	1708	wiacmfgr.exe	126
PID 864 set thread context of 2564	864	wiacmfgr.exe	128
PID 1540 set thread context of 2344	1540	wiacmfgr.exe	130
PID 2700 set thread context of 2484	2700	wiacmfgr.exe	132
PID 2880 set thread context of 2308	2880	wiacmfgr.exe	134
PID 852 set thread context of 2628	852	wiacmfgr.exe	136
PID 2524 set thread context of 1484	2524	wiacmfgr.exe	138
PID 2772 set thread context of 2884	2772	wiacmfgr.exe	140
PID 948 set thread context of 2980	948	wiacmfgr.exe	142
PID 1440 set thread context of 2464	1440	wiacmfgr.exe	144
PID 2404 set thread context of 1716	2404	wiacmfgr.exe	146
PID 1876 set thread context of 1628	1876	wiacmfgr.exe	148
PID 1048 set thread context of 3056	1048	wiacmfgr.exe	150

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-10-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-11-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-9-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-8-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-4-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-12-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2132-25-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2924-39-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2924-38-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2924-37-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2924-36-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2924-40-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2924-45-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2620-62-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2956-72-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2956-80-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3016-89-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3016-91-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3016-90-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3016-95-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2184-106-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2184-113-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1812-123-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1812-130-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1180-140-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1180-147-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1944-157-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1944-164-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2496-175-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2496-182-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1664-192-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1664-199-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2376-210-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2376-216-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2052-226-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2052-234-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2784-244-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2784-251-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1904-260-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1904-264-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2848-273-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2848-277-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1404-286-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1404-290-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/540-299-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/540-303-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1892-312-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1892-316-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2328-325-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2328-329-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2516-338-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2516-342-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2988-351-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2988-355-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1956-364-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1956-368-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1640-377-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1640-381-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2920-390-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2920-394-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2260-406-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2860-415-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiacmfgr.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
2924	wiacmfgr.exe
2620	wiacmfgr.exe
2956	wiacmfgr.exe
3016	wiacmfgr.exe
2184	wiacmfgr.exe
1812	wiacmfgr.exe
1180	wiacmfgr.exe
1944	wiacmfgr.exe
2496	wiacmfgr.exe
1664	wiacmfgr.exe
2376	wiacmfgr.exe
2052	wiacmfgr.exe
2784	wiacmfgr.exe
1904	wiacmfgr.exe
2848	wiacmfgr.exe
1404	wiacmfgr.exe
540	wiacmfgr.exe
1892	wiacmfgr.exe
2328	wiacmfgr.exe
2516	wiacmfgr.exe
2988	wiacmfgr.exe
1956	wiacmfgr.exe
1640	wiacmfgr.exe
2920	wiacmfgr.exe
2260	wiacmfgr.exe
2860	wiacmfgr.exe
2668	wiacmfgr.exe
300	wiacmfgr.exe
1592	wiacmfgr.exe
2396	wiacmfgr.exe
448	wiacmfgr.exe
1268	wiacmfgr.exe
1544	wiacmfgr.exe
1576	wiacmfgr.exe
1752	wiacmfgr.exe
600	wiacmfgr.exe
2176	wiacmfgr.exe
2640	wiacmfgr.exe
2728	wiacmfgr.exe
596	wiacmfgr.exe
2684	wiacmfgr.exe
2948	wiacmfgr.exe
1776	wiacmfgr.exe
2712	wiacmfgr.exe
1828	wiacmfgr.exe
1952	wiacmfgr.exe
912	wiacmfgr.exe
2564	wiacmfgr.exe
2344	wiacmfgr.exe
2484	wiacmfgr.exe
2308	wiacmfgr.exe
2628	wiacmfgr.exe
1484	wiacmfgr.exe
2884	wiacmfgr.exe
2980	wiacmfgr.exe
2464	wiacmfgr.exe
1716	wiacmfgr.exe
1628	wiacmfgr.exe
3056	wiacmfgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 372 wrote to memory of 2132	372	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	30
PID 2132 wrote to memory of 2724	2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	32
PID 2132 wrote to memory of 2724	2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	32
PID 2132 wrote to memory of 2724	2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	32
PID 2132 wrote to memory of 2724	2132	JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe	32
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2724 wrote to memory of 2924	2724	wiacmfgr.exe	33
PID 2924 wrote to memory of 2752	2924	wiacmfgr.exe	34
PID 2924 wrote to memory of 2752	2924	wiacmfgr.exe	34
PID 2924 wrote to memory of 2752	2924	wiacmfgr.exe	34
PID 2924 wrote to memory of 2752	2924	wiacmfgr.exe	34
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2752 wrote to memory of 2620	2752	wiacmfgr.exe	35
PID 2620 wrote to memory of 2852	2620	wiacmfgr.exe	37
PID 2620 wrote to memory of 2852	2620	wiacmfgr.exe	37
PID 2620 wrote to memory of 2852	2620	wiacmfgr.exe	37
PID 2620 wrote to memory of 2852	2620	wiacmfgr.exe	37
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2852 wrote to memory of 2956	2852	wiacmfgr.exe	38
PID 2956 wrote to memory of 2932	2956	wiacmfgr.exe	39
PID 2956 wrote to memory of 2932	2956	wiacmfgr.exe	39
PID 2956 wrote to memory of 2932	2956	wiacmfgr.exe	39
PID 2956 wrote to memory of 2932	2956	wiacmfgr.exe	39
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 2932 wrote to memory of 3016	2932	wiacmfgr.exe	40
PID 3016 wrote to memory of 1772	3016	wiacmfgr.exe	41
PID 3016 wrote to memory of 1772	3016	wiacmfgr.exe	41
PID 3016 wrote to memory of 1772	3016	wiacmfgr.exe	41
PID 3016 wrote to memory of 1772	3016	wiacmfgr.exe	41
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 1772 wrote to memory of 2184	1772	wiacmfgr.exe	42
PID 2184 wrote to memory of 2368	2184	wiacmfgr.exe	43
PID 2184 wrote to memory of 2368	2184	wiacmfgr.exe	43

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0205ecc7bf826715488e834f07e8eb6c.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\wiacmfgr.exe
    "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\wiacmfgr.exe
      "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1812
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2600
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2564
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1728
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2296
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2580
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:300
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1792
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1828
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:892
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2304
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:904
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1916
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2196
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2588
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1152
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2368
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1828
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1312
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1788
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        72⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:1928
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2760
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        78⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        85⤵
        Suspicious use of SetThreadContext
        
        PID:3024
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        86⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:860
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        88⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        92⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        93⤵
        Suspicious use of SetThreadContext
        
        PID:1796
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        95⤵
        Suspicious use of SetThreadContext
        
        PID:1708
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        97⤵
        Suspicious use of SetThreadContext
        
        PID:864
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        100⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        102⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2880
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        104⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        106⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        110⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        111⤵
        Suspicious use of SetThreadContext
        
        PID:948
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        112⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        113⤵
        Suspicious use of SetThreadContext
        
        PID:1440
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        114⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        116⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        117⤵
        Suspicious use of SetThreadContext
        
        PID:1876
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        119⤵
        Suspicious use of SetThreadContext
        
        PID:1048
        
        C:\Windows\SysWOW64\wiacmfgr.exe
        
        "C:\Windows\SysWOW64\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
        120⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wiacmfgr.exe

Filesize
267KB

MD5
0205ecc7bf826715488e834f07e8eb6c

SHA1
74f7f30baa9e4e2619f2f7c2f793e7dedc20ba0b

SHA256
b21f11dceea0da86071bc303babe191839fb79325fee5f76c9fe016bc1a12091

SHA512
d698313ad10fd7fa9c3dae0d9904239bef001131e53ebf9fad34135476dcce057347c6fcd492c4de5976da616c923becb5c6e2de2fcda94ddc4a4b3594d92ca3

Download Submit
memory/300-441-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/300-445-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/448-484-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/448-480-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/540-299-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/540-303-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/596-601-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/596-598-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/600-545-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/600-549-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/912-687-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/912-691-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1180-140-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1180-147-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1268-493-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1268-497-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1404-286-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1404-290-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1544-506-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1544-510-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1576-519-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1576-523-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1592-458-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1592-454-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1640-381-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1640-377-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1664-192-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1664-199-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1752-532-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1752-536-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1776-640-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1776-636-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1812-130-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1812-123-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1828-661-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1828-665-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1892-316-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1892-312-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1904-260-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1904-264-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1944-164-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1944-157-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1952-674-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1952-678-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1956-364-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1956-368-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2052-226-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2052-234-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-4-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-8-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-12-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-25-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-11-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-9-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2176-562-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2176-558-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2184-113-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2184-106-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-406-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2328-325-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2328-329-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2376-216-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2376-210-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2396-468-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2396-471-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2496-175-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2496-182-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2516-338-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2516-342-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2564-700-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2564-704-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2620-62-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2640-575-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2640-571-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2668-432-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2668-428-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2684-610-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2684-614-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2712-652-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2728-584-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2728-588-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2784-244-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2784-251-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2848-273-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2848-277-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2860-419-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2860-415-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-390-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-394-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-40-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-45-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-36-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-37-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-38-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-39-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2948-623-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2948-627-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2956-80-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2956-72-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2988-355-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2988-351-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3016-95-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3016-90-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3016-91-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3016-89-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download