metasploit | e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
Size

220KB
MD5

b493cf0fe1f93895aca6b6834edb62b0
SHA1

2af8f287ce851f3d11b1f0a5ca33f6bba1d612ca
SHA256

e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5c
SHA512

d4159d22f90cfbe7601a51edfb3411d2589c21f5cb4955270b3eb84878fb9bbf975ac0dac917a34865da13422979f53a54008cf5a26735b3368408145cdc254a
SSDEEP

6144:t1JIfielipuGOMlliO1DmWIgff9aGzde4qz:t1JKi8ciYq0fZzqz

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2092	wmirpcf.exe

Executes dropped EXE 64 IoCs

pid	Process
1616	wmirpcf.exe
2092	wmirpcf.exe
3068	wmirpcf.exe
2904	wmirpcf.exe
2484	wmirpcf.exe
632	wmirpcf.exe
2776	wmirpcf.exe
1156	wmirpcf.exe
1900	wmirpcf.exe
1928	wmirpcf.exe
2024	wmirpcf.exe
2604	wmirpcf.exe
1100	wmirpcf.exe
2000	wmirpcf.exe
1648	wmirpcf.exe
2028	wmirpcf.exe
288	wmirpcf.exe
2056	wmirpcf.exe
1684	wmirpcf.exe
2008	wmirpcf.exe
1664	wmirpcf.exe
2400	wmirpcf.exe
3000	wmirpcf.exe
2336	wmirpcf.exe
2644	wmirpcf.exe
2980	wmirpcf.exe
2940	wmirpcf.exe
332	wmirpcf.exe
564	wmirpcf.exe
1304	wmirpcf.exe
2104	wmirpcf.exe
1612	wmirpcf.exe
2536	wmirpcf.exe
1496	wmirpcf.exe
1848	wmirpcf.exe
976	wmirpcf.exe
892	wmirpcf.exe
2268	wmirpcf.exe
864	wmirpcf.exe
1288	wmirpcf.exe
1588	wmirpcf.exe
824	wmirpcf.exe
1692	wmirpcf.exe
1664	wmirpcf.exe
2956	wmirpcf.exe
3000	wmirpcf.exe
2788	wmirpcf.exe
2752	wmirpcf.exe
2948	wmirpcf.exe
2944	wmirpcf.exe
708	wmirpcf.exe
1424	wmirpcf.exe
2512	wmirpcf.exe
540	wmirpcf.exe
2256	wmirpcf.exe
2100	wmirpcf.exe
2536	wmirpcf.exe
1364	wmirpcf.exe
2652	wmirpcf.exe
1624	wmirpcf.exe
1868	wmirpcf.exe
2596	wmirpcf.exe
1736	wmirpcf.exe
1940	wmirpcf.exe

Loads dropped DLL 64 IoCs

pid	Process
2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
1616	wmirpcf.exe
2092	wmirpcf.exe
2092	wmirpcf.exe
2904	wmirpcf.exe
2904	wmirpcf.exe
632	wmirpcf.exe
632	wmirpcf.exe
1156	wmirpcf.exe
1156	wmirpcf.exe
1928	wmirpcf.exe
1928	wmirpcf.exe
2604	wmirpcf.exe
2604	wmirpcf.exe
2000	wmirpcf.exe
2000	wmirpcf.exe
2028	wmirpcf.exe
2028	wmirpcf.exe
2056	wmirpcf.exe
2056	wmirpcf.exe
2008	wmirpcf.exe
2008	wmirpcf.exe
2400	wmirpcf.exe
2400	wmirpcf.exe
2336	wmirpcf.exe
2336	wmirpcf.exe
2980	wmirpcf.exe
2980	wmirpcf.exe
332	wmirpcf.exe
332	wmirpcf.exe
1304	wmirpcf.exe
1304	wmirpcf.exe
1612	wmirpcf.exe
1612	wmirpcf.exe
1496	wmirpcf.exe
1496	wmirpcf.exe
976	wmirpcf.exe
976	wmirpcf.exe
2268	wmirpcf.exe
2268	wmirpcf.exe
1288	wmirpcf.exe
1288	wmirpcf.exe
824	wmirpcf.exe
824	wmirpcf.exe
1664	wmirpcf.exe
1664	wmirpcf.exe
3000	wmirpcf.exe
3000	wmirpcf.exe
2752	wmirpcf.exe
2752	wmirpcf.exe
2944	wmirpcf.exe
2944	wmirpcf.exe
1424	wmirpcf.exe
1424	wmirpcf.exe
540	wmirpcf.exe
540	wmirpcf.exe
2100	wmirpcf.exe
2100	wmirpcf.exe
1364	wmirpcf.exe
1364	wmirpcf.exe
1624	wmirpcf.exe
1624	wmirpcf.exe
2596	wmirpcf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 1616 set thread context of 2092	1616	wmirpcf.exe	32
PID 3068 set thread context of 2904	3068	wmirpcf.exe	34
PID 2484 set thread context of 632	2484	wmirpcf.exe	36
PID 2776 set thread context of 1156	2776	wmirpcf.exe	38
PID 1900 set thread context of 1928	1900	wmirpcf.exe	40
PID 2024 set thread context of 2604	2024	wmirpcf.exe	42
PID 1100 set thread context of 2000	1100	wmirpcf.exe	44
PID 1648 set thread context of 2028	1648	wmirpcf.exe	46
PID 288 set thread context of 2056	288	wmirpcf.exe	49
PID 1684 set thread context of 2008	1684	wmirpcf.exe	51
PID 1664 set thread context of 2400	1664	wmirpcf.exe	53
PID 3000 set thread context of 2336	3000	wmirpcf.exe	55
PID 2644 set thread context of 2980	2644	wmirpcf.exe	57
PID 2940 set thread context of 332	2940	wmirpcf.exe	59
PID 564 set thread context of 1304	564	wmirpcf.exe	61
PID 2104 set thread context of 1612	2104	wmirpcf.exe	63
PID 2536 set thread context of 1496	2536	wmirpcf.exe	65
PID 1848 set thread context of 976	1848	wmirpcf.exe	67
PID 892 set thread context of 2268	892	wmirpcf.exe	69
PID 864 set thread context of 1288	864	wmirpcf.exe	71
PID 1588 set thread context of 824	1588	wmirpcf.exe	73
PID 1692 set thread context of 1664	1692	wmirpcf.exe	75
PID 2956 set thread context of 3000	2956	wmirpcf.exe	77
PID 2788 set thread context of 2752	2788	wmirpcf.exe	79
PID 2948 set thread context of 2944	2948	wmirpcf.exe	81
PID 708 set thread context of 1424	708	wmirpcf.exe	83
PID 2512 set thread context of 540	2512	wmirpcf.exe	85
PID 2256 set thread context of 2100	2256	wmirpcf.exe	87
PID 2536 set thread context of 1364	2536	wmirpcf.exe	89
PID 2652 set thread context of 1624	2652	wmirpcf.exe	91
PID 1868 set thread context of 2596	1868	wmirpcf.exe	93
PID 1736 set thread context of 1940	1736	wmirpcf.exe	95
PID 1320 set thread context of 2436	1320	wmirpcf.exe	97
PID 2960 set thread context of 2460	2960	wmirpcf.exe	99
PID 2708 set thread context of 2688	2708	wmirpcf.exe	101
PID 2696 set thread context of 2860	2696	wmirpcf.exe	103
PID 1696 set thread context of 484	1696	wmirpcf.exe	105
PID 580 set thread context of 2524	580	wmirpcf.exe	107
PID 276 set thread context of 2256	276	wmirpcf.exe	109
PID 2112 set thread context of 952	2112	wmirpcf.exe	111
PID 2928 set thread context of 2444	2928	wmirpcf.exe	113
PID 1112 set thread context of 288	1112	wmirpcf.exe	115
PID 2648 set thread context of 300	2648	wmirpcf.exe	117
PID 2816 set thread context of 1672	2816	wmirpcf.exe	119
PID 2700 set thread context of 2824	2700	wmirpcf.exe	121
PID 2692 set thread context of 2424	2692	wmirpcf.exe	123
PID 588 set thread context of 2948	588	wmirpcf.exe	125
PID 1296 set thread context of 2760	1296	wmirpcf.exe	127
PID 2104 set thread context of 1936	2104	wmirpcf.exe	129
PID 408 set thread context of 832	408	wmirpcf.exe	131
PID 828 set thread context of 1668	828	wmirpcf.exe	133
PID 2928 set thread context of 948	2928	wmirpcf.exe	135
PID 2168 set thread context of 1628	2168	wmirpcf.exe	137
PID 2300 set thread context of 1180	2300	wmirpcf.exe	139
PID 2332 set thread context of 1952	2332	wmirpcf.exe	141
PID 2804 set thread context of 2732	2804	wmirpcf.exe	143
PID 3032 set thread context of 1552	3032	wmirpcf.exe	145
PID 2764 set thread context of 1484	2764	wmirpcf.exe	147
PID 3020 set thread context of 848	3020	wmirpcf.exe	149
PID 2480 set thread context of 2640	2480	wmirpcf.exe	151
PID 1560 set thread context of 276	1560	wmirpcf.exe	153
PID 2564 set thread context of 2112	2564	wmirpcf.exe	155
PID 304 set thread context of 688	304	wmirpcf.exe	157

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-5-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-19-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-18-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-17-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-16-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-11-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-9-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2080-32-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-50-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-49-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-48-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-47-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2092-56-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2904-72-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2904-78-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/632-92-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/632-100-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1156-114-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1156-123-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1928-139-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1928-146-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2604-161-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2604-168-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2000-184-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2000-190-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2028-206-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2028-215-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2056-234-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2008-248-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2008-256-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2400-278-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2336-299-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2980-320-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/332-337-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1304-354-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1612-371-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1496-388-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/976-405-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2268-422-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1288-439-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/824-456-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1664-473-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3000-490-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2752-507-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2944-524-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1424-541-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/540-553-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/540-559-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2100-576-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1364-593-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1624-610-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2596-627-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1940-644-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2436-661-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2460-678-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2688-695-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2860-712-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/484-729-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2524-746-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2256-763-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/952-780-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2444-797-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/288-814-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/300-831-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
2092	wmirpcf.exe
2904	wmirpcf.exe
632	wmirpcf.exe
1156	wmirpcf.exe
1928	wmirpcf.exe
2604	wmirpcf.exe
2000	wmirpcf.exe
2028	wmirpcf.exe
2056	wmirpcf.exe
2008	wmirpcf.exe
2400	wmirpcf.exe
2336	wmirpcf.exe
2980	wmirpcf.exe
332	wmirpcf.exe
1304	wmirpcf.exe
1612	wmirpcf.exe
1496	wmirpcf.exe
976	wmirpcf.exe
2268	wmirpcf.exe
1288	wmirpcf.exe
824	wmirpcf.exe
1664	wmirpcf.exe
3000	wmirpcf.exe
2752	wmirpcf.exe
2944	wmirpcf.exe
1424	wmirpcf.exe
540	wmirpcf.exe
2100	wmirpcf.exe
1364	wmirpcf.exe
1624	wmirpcf.exe
2596	wmirpcf.exe
1940	wmirpcf.exe
2436	wmirpcf.exe
2460	wmirpcf.exe
2688	wmirpcf.exe
2860	wmirpcf.exe
484	wmirpcf.exe
2524	wmirpcf.exe
2256	wmirpcf.exe
952	wmirpcf.exe
2444	wmirpcf.exe
288	wmirpcf.exe
300	wmirpcf.exe
1672	wmirpcf.exe
2824	wmirpcf.exe
2424	wmirpcf.exe
2948	wmirpcf.exe
2760	wmirpcf.exe
1936	wmirpcf.exe
832	wmirpcf.exe
1668	wmirpcf.exe
948	wmirpcf.exe
1628	wmirpcf.exe
1180	wmirpcf.exe
1952	wmirpcf.exe
2732	wmirpcf.exe
1552	wmirpcf.exe
1484	wmirpcf.exe
848	wmirpcf.exe
2640	wmirpcf.exe
276	wmirpcf.exe
2112	wmirpcf.exe
688	wmirpcf.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
1616	wmirpcf.exe
3068	wmirpcf.exe
2484	wmirpcf.exe
2776	wmirpcf.exe
1900	wmirpcf.exe
2024	wmirpcf.exe
1100	wmirpcf.exe
1648	wmirpcf.exe
288	wmirpcf.exe
1684	wmirpcf.exe
1664	wmirpcf.exe
3000	wmirpcf.exe
2644	wmirpcf.exe
2940	wmirpcf.exe
564	wmirpcf.exe
2104	wmirpcf.exe
2536	wmirpcf.exe
1848	wmirpcf.exe
892	wmirpcf.exe
864	wmirpcf.exe
1588	wmirpcf.exe
1692	wmirpcf.exe
2956	wmirpcf.exe
2788	wmirpcf.exe
2948	wmirpcf.exe
708	wmirpcf.exe
2512	wmirpcf.exe
2256	wmirpcf.exe
2536	wmirpcf.exe
2652	wmirpcf.exe
1868	wmirpcf.exe
1736	wmirpcf.exe
1320	wmirpcf.exe
2960	wmirpcf.exe
2708	wmirpcf.exe
2696	wmirpcf.exe
1696	wmirpcf.exe
580	wmirpcf.exe
276	wmirpcf.exe
2112	wmirpcf.exe
2928	wmirpcf.exe
1112	wmirpcf.exe
2648	wmirpcf.exe
2816	wmirpcf.exe
2700	wmirpcf.exe
2692	wmirpcf.exe
588	wmirpcf.exe
1296	wmirpcf.exe
2104	wmirpcf.exe
408	wmirpcf.exe
828	wmirpcf.exe
2928	wmirpcf.exe
2168	wmirpcf.exe
2300	wmirpcf.exe
2332	wmirpcf.exe
2804	wmirpcf.exe
3032	wmirpcf.exe
2764	wmirpcf.exe
3020	wmirpcf.exe
2480	wmirpcf.exe
1560	wmirpcf.exe
2564	wmirpcf.exe
304	wmirpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2080	2648	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1616	2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1616	2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1616	2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1616	2080	b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe	31
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 1616 wrote to memory of 2092	1616	wmirpcf.exe	32
PID 2092 wrote to memory of 3068	2092	wmirpcf.exe	33
PID 2092 wrote to memory of 3068	2092	wmirpcf.exe	33
PID 2092 wrote to memory of 3068	2092	wmirpcf.exe	33
PID 2092 wrote to memory of 3068	2092	wmirpcf.exe	33
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 3068 wrote to memory of 2904	3068	wmirpcf.exe	34
PID 2904 wrote to memory of 2484	2904	wmirpcf.exe	35
PID 2904 wrote to memory of 2484	2904	wmirpcf.exe	35
PID 2904 wrote to memory of 2484	2904	wmirpcf.exe	35
PID 2904 wrote to memory of 2484	2904	wmirpcf.exe	35
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 2484 wrote to memory of 632	2484	wmirpcf.exe	36
PID 632 wrote to memory of 2776	632	wmirpcf.exe	37
PID 632 wrote to memory of 2776	632	wmirpcf.exe	37
PID 632 wrote to memory of 2776	632	wmirpcf.exe	37
PID 632 wrote to memory of 2776	632	wmirpcf.exe	37
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 2776 wrote to memory of 1156	2776	wmirpcf.exe	38
PID 1156 wrote to memory of 1900	1156	wmirpcf.exe	39
PID 1156 wrote to memory of 1900	1156	wmirpcf.exe	39
PID 1156 wrote to memory of 1900	1156	wmirpcf.exe	39
PID 1156 wrote to memory of 1900	1156	wmirpcf.exe	39
PID 1900 wrote to memory of 1928	1900	wmirpcf.exe	40
PID 1900 wrote to memory of 1928	1900	wmirpcf.exe	40
PID 1900 wrote to memory of 1928	1900	wmirpcf.exe	40
PID 1900 wrote to memory of 1928	1900	wmirpcf.exe	40

C:\Users\Admin\AppData\Local\Temp\b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b493cf0fe1f93895aca6b6834edb62b0_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\wmirpcf.exe
    "C:\Windows\system32\wmirpcf.exe" C:\Users\Admin\AppData\Local\Temp\B493CF~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\wmirpcf.exe
      C:\Windows\SysWOW64\wmirpcf.exe C:\Users\Admin\AppData\Local\Temp\B493CF~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:332
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:824
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1364
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        66⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        69⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        72⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        73⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        74⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        75⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        76⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        77⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        79⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        82⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        83⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        85⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:288
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        87⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        88⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        89⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        90⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        92⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        94⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        96⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        98⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        99⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        100⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:408
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        103⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        104⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        106⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        108⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        109⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        110⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        111⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        113⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        114⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        116⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        117⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        120⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        121⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        122⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:276
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        127⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        128⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        129⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        130⤵
        
        PID:900
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        131⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        133⤵
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        135⤵
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        136⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        138⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:356
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        140⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        141⤵
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        142⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        144⤵
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        146⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        147⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        148⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        149⤵
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        150⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        151⤵
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        152⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        153⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        154⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        156⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        157⤵
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        159⤵
        
        PID:912
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        160⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        161⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        163⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        164⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        166⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        167⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        169⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        171⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        173⤵
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        174⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        175⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        176⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        177⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        178⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        179⤵
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        180⤵
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmirpcf.exe

Filesize
220KB

MD5
b493cf0fe1f93895aca6b6834edb62b0

SHA1
2af8f287ce851f3d11b1f0a5ca33f6bba1d612ca

SHA256
e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5c

SHA512
d4159d22f90cfbe7601a51edfb3411d2589c21f5cb4955270b3eb84878fb9bbf975ac0dac917a34865da13422979f53a54008cf5a26735b3368408145cdc254a

Download Submit
memory/276-1137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/288-814-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/300-831-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/332-337-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/484-729-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/540-553-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/540-559-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/632-100-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/632-92-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/688-1173-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/824-456-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/832-950-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/848-1103-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/880-1290-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/900-1188-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/948-984-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/952-780-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/976-405-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-1205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1084-1324-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1124-1511-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1156-114-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1156-123-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-1018-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1220-1222-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1288-439-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1304-354-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1364-593-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1424-541-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1484-1086-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1496-388-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1500-1375-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1552-1069-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-371-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1624-610-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1628-1001-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1664-473-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1668-967-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1672-848-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1856-1307-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1928-146-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1928-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1936-933-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1940-644-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1952-1035-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2000-184-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2000-190-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2008-256-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2008-248-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2028-206-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2028-215-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2056-234-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-19-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-3-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-18-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-9-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2080-17-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-16-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-50-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-47-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-49-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-48-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2100-576-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2112-1156-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2164-1409-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2244-1392-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2256-763-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2268-422-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2336-299-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2400-278-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2424-884-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2436-661-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2444-797-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2460-678-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-1477-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2524-746-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2556-1494-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2596-627-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2604-168-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2604-161-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2616-1358-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2640-1120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2648-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2664-1460-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2688-695-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2692-1256-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2708-1443-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2732-1052-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2752-507-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2760-916-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2824-865-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2848-1426-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2860-712-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2904-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2904-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2936-1239-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2944-524-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2948-899-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2980-320-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3000-490-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3040-1273-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-1341-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download