metasploit | e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
Size

220KB
MD5

b493cf0fe1f93895aca6b6834edb62b0
SHA1

2af8f287ce851f3d11b1f0a5ca33f6bba1d612ca
SHA256

e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5c
SHA512

d4159d22f90cfbe7601a51edfb3411d2589c21f5cb4955270b3eb84878fb9bbf975ac0dac917a34865da13422979f53a54008cf5a26735b3368408145cdc254a
SSDEEP

6144:t1JIfielipuGOMlliO1DmWIgff9aGzde4qz:t1JKi8ciYq0fZzqz

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2864	wmirpcf.exe

Executes dropped EXE 64 IoCs

pid	Process
3008	wmirpcf.exe
2864	wmirpcf.exe
264	wmirpcf.exe
2260	wmirpcf.exe
2188	wmirpcf.exe
2836	wmirpcf.exe
540	wmirpcf.exe
2988	wmirpcf.exe
2096	wmirpcf.exe
1788	wmirpcf.exe
752	wmirpcf.exe
2364	wmirpcf.exe
1732	wmirpcf.exe
832	wmirpcf.exe
2468	wmirpcf.exe
2540	wmirpcf.exe
2168	wmirpcf.exe
1836	wmirpcf.exe
1524	wmirpcf.exe
2676	wmirpcf.exe
796	wmirpcf.exe
2916	wmirpcf.exe
1628	wmirpcf.exe
2968	wmirpcf.exe
308	wmirpcf.exe
2188	wmirpcf.exe
348	wmirpcf.exe
540	wmirpcf.exe
2064	wmirpcf.exe
2400	wmirpcf.exe
2240	wmirpcf.exe
1544	wmirpcf.exe
1532	wmirpcf.exe
2924	wmirpcf.exe
1712	wmirpcf.exe
2440	wmirpcf.exe
2492	wmirpcf.exe
2136	wmirpcf.exe
748	wmirpcf.exe
1852	wmirpcf.exe
1764	wmirpcf.exe
2680	wmirpcf.exe
2500	wmirpcf.exe
2768	wmirpcf.exe
2572	wmirpcf.exe
764	wmirpcf.exe
2760	wmirpcf.exe
3064	wmirpcf.exe
1936	wmirpcf.exe
2088	wmirpcf.exe
3000	wmirpcf.exe
1260	wmirpcf.exe
2448	wmirpcf.exe
1040	wmirpcf.exe
828	wmirpcf.exe
1532	wmirpcf.exe
1704	wmirpcf.exe
2052	wmirpcf.exe
2252	wmirpcf.exe
2292	wmirpcf.exe
568	wmirpcf.exe
1640	wmirpcf.exe
1524	wmirpcf.exe
2792	wmirpcf.exe

Loads dropped DLL 64 IoCs

pid	Process
2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
3008	wmirpcf.exe
2864	wmirpcf.exe
2864	wmirpcf.exe
2260	wmirpcf.exe
2260	wmirpcf.exe
2836	wmirpcf.exe
2836	wmirpcf.exe
2988	wmirpcf.exe
2988	wmirpcf.exe
1788	wmirpcf.exe
1788	wmirpcf.exe
2364	wmirpcf.exe
2364	wmirpcf.exe
832	wmirpcf.exe
832	wmirpcf.exe
2540	wmirpcf.exe
2540	wmirpcf.exe
1836	wmirpcf.exe
1836	wmirpcf.exe
2676	wmirpcf.exe
2676	wmirpcf.exe
2916	wmirpcf.exe
2916	wmirpcf.exe
2968	wmirpcf.exe
2968	wmirpcf.exe
2188	wmirpcf.exe
2188	wmirpcf.exe
540	wmirpcf.exe
540	wmirpcf.exe
2400	wmirpcf.exe
2400	wmirpcf.exe
1544	wmirpcf.exe
1544	wmirpcf.exe
2924	wmirpcf.exe
2924	wmirpcf.exe
2440	wmirpcf.exe
2440	wmirpcf.exe
2136	wmirpcf.exe
2136	wmirpcf.exe
1852	wmirpcf.exe
1852	wmirpcf.exe
2680	wmirpcf.exe
2680	wmirpcf.exe
2768	wmirpcf.exe
2768	wmirpcf.exe
764	wmirpcf.exe
764	wmirpcf.exe
3064	wmirpcf.exe
3064	wmirpcf.exe
2088	wmirpcf.exe
2088	wmirpcf.exe
1260	wmirpcf.exe
1260	wmirpcf.exe
1040	wmirpcf.exe
1040	wmirpcf.exe
1532	wmirpcf.exe
1532	wmirpcf.exe
2052	wmirpcf.exe
2052	wmirpcf.exe
2292	wmirpcf.exe
2292	wmirpcf.exe
1640	wmirpcf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 3008 set thread context of 2864	3008	wmirpcf.exe	33
PID 264 set thread context of 2260	264	wmirpcf.exe	35
PID 2188 set thread context of 2836	2188	wmirpcf.exe	37
PID 540 set thread context of 2988	540	wmirpcf.exe	39
PID 2096 set thread context of 1788	2096	wmirpcf.exe	41
PID 752 set thread context of 2364	752	wmirpcf.exe	43
PID 1732 set thread context of 832	1732	wmirpcf.exe	45
PID 2468 set thread context of 2540	2468	wmirpcf.exe	47
PID 2168 set thread context of 1836	2168	wmirpcf.exe	49
PID 1524 set thread context of 2676	1524	wmirpcf.exe	51
PID 796 set thread context of 2916	796	wmirpcf.exe	53
PID 1628 set thread context of 2968	1628	wmirpcf.exe	55
PID 308 set thread context of 2188	308	wmirpcf.exe	57
PID 348 set thread context of 540	348	wmirpcf.exe	59
PID 2064 set thread context of 2400	2064	wmirpcf.exe	61
PID 2240 set thread context of 1544	2240	wmirpcf.exe	63
PID 1532 set thread context of 2924	1532	wmirpcf.exe	65
PID 1712 set thread context of 2440	1712	wmirpcf.exe	67
PID 2492 set thread context of 2136	2492	wmirpcf.exe	69
PID 748 set thread context of 1852	748	wmirpcf.exe	71
PID 1764 set thread context of 2680	1764	wmirpcf.exe	73
PID 2500 set thread context of 2768	2500	wmirpcf.exe	75
PID 2572 set thread context of 764	2572	wmirpcf.exe	77
PID 2760 set thread context of 3064	2760	wmirpcf.exe	79
PID 1936 set thread context of 2088	1936	wmirpcf.exe	81
PID 3000 set thread context of 1260	3000	wmirpcf.exe	83
PID 2448 set thread context of 1040	2448	wmirpcf.exe	85
PID 828 set thread context of 1532	828	wmirpcf.exe	87
PID 1704 set thread context of 2052	1704	wmirpcf.exe	89
PID 2252 set thread context of 2292	2252	wmirpcf.exe	91
PID 568 set thread context of 1640	568	wmirpcf.exe	93
PID 1524 set thread context of 2792	1524	wmirpcf.exe	95
PID 796 set thread context of 2612	796	wmirpcf.exe	97
PID 2360 set thread context of 2256	2360	wmirpcf.exe	99
PID 1340 set thread context of 2752	1340	wmirpcf.exe	101
PID 1224 set thread context of 2028	1224	wmirpcf.exe	103
PID 1652 set thread context of 2092	1652	wmirpcf.exe	105
PID 448 set thread context of 752	448	wmirpcf.exe	107
PID 2324 set thread context of 1236	2324	wmirpcf.exe	109
PID 1668 set thread context of 1140	1668	wmirpcf.exe	111
PID 2288 set thread context of 988	2288	wmirpcf.exe	113
PID 624 set thread context of 2172	624	wmirpcf.exe	115
PID 1508 set thread context of 2596	1508	wmirpcf.exe	117
PID 2564 set thread context of 856	2564	wmirpcf.exe	119
PID 2552 set thread context of 2140	2552	wmirpcf.exe	121
PID 1832 set thread context of 1440	1832	wmirpcf.exe	123
PID 1928 set thread context of 320	1928	wmirpcf.exe	125
PID 2244 set thread context of 2176	2244	wmirpcf.exe	127
PID 1708 set thread context of 300	1708	wmirpcf.exe	129
PID 2324 set thread context of 1656	2324	wmirpcf.exe	131
PID 1480 set thread context of 2512	1480	wmirpcf.exe	133
PID 2580 set thread context of 880	2580	wmirpcf.exe	135
PID 748 set thread context of 2408	748	wmirpcf.exe	137
PID 2712 set thread context of 884	2712	wmirpcf.exe	139
PID 2832 set thread context of 2592	2832	wmirpcf.exe	141
PID 2100 set thread context of 2148	2100	wmirpcf.exe	143
PID 2660 set thread context of 2268	2660	wmirpcf.exe	145
PID 484 set thread context of 2900	484	wmirpcf.exe	147
PID 2200 set thread context of 3032	2200	wmirpcf.exe	149
PID 1648 set thread context of 2224	1648	wmirpcf.exe	151
PID 2536 set thread context of 2444	2536	wmirpcf.exe	153
PID 2236 set thread context of 744	2236	wmirpcf.exe	155
PID 1720 set thread context of 2648	1720	wmirpcf.exe	157

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-9-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-14-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-7-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-5-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-15-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-17-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-16-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-18-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2864-46-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2216-33-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2864-47-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2864-48-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2864-49-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2864-55-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2260-71-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2260-75-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2836-92-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2836-97-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2988-112-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2988-119-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1788-134-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1788-142-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2364-158-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2364-166-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/832-185-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2540-199-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2540-208-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1836-231-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2676-243-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2676-253-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2916-272-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2968-286-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2968-294-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2188-308-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2188-316-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/540-331-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2400-344-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2400-350-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1544-362-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1544-367-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2924-380-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2924-385-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2440-398-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2440-403-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2136-416-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2136-421-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1852-434-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1852-439-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2680-452-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2680-457-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2768-470-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2768-475-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/764-492-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3064-505-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/3064-510-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2088-523-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2088-528-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1260-541-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1260-546-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1040-559-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1040-564-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1532-577-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1532-582-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2052-599-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
2864	wmirpcf.exe
2260	wmirpcf.exe
2836	wmirpcf.exe
2988	wmirpcf.exe
1788	wmirpcf.exe
2364	wmirpcf.exe
832	wmirpcf.exe
2540	wmirpcf.exe
1836	wmirpcf.exe
2676	wmirpcf.exe
2916	wmirpcf.exe
2968	wmirpcf.exe
2188	wmirpcf.exe
540	wmirpcf.exe
2400	wmirpcf.exe
1544	wmirpcf.exe
2924	wmirpcf.exe
2440	wmirpcf.exe
2136	wmirpcf.exe
1852	wmirpcf.exe
2680	wmirpcf.exe
2768	wmirpcf.exe
764	wmirpcf.exe
3064	wmirpcf.exe
2088	wmirpcf.exe
1260	wmirpcf.exe
1040	wmirpcf.exe
1532	wmirpcf.exe
2052	wmirpcf.exe
2292	wmirpcf.exe
1640	wmirpcf.exe
2792	wmirpcf.exe
2612	wmirpcf.exe
2256	wmirpcf.exe
2752	wmirpcf.exe
2028	wmirpcf.exe
2092	wmirpcf.exe
752	wmirpcf.exe
1236	wmirpcf.exe
1140	wmirpcf.exe
988	wmirpcf.exe
2172	wmirpcf.exe
2596	wmirpcf.exe
856	wmirpcf.exe
2140	wmirpcf.exe
1440	wmirpcf.exe
320	wmirpcf.exe
2176	wmirpcf.exe
300	wmirpcf.exe
1656	wmirpcf.exe
2512	wmirpcf.exe
880	wmirpcf.exe
2408	wmirpcf.exe
884	wmirpcf.exe
2592	wmirpcf.exe
2148	wmirpcf.exe
2268	wmirpcf.exe
2900	wmirpcf.exe
3032	wmirpcf.exe
2224	wmirpcf.exe
2444	wmirpcf.exe
744	wmirpcf.exe
2648	wmirpcf.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
3008	wmirpcf.exe
264	wmirpcf.exe
2188	wmirpcf.exe
540	wmirpcf.exe
2096	wmirpcf.exe
752	wmirpcf.exe
1732	wmirpcf.exe
2468	wmirpcf.exe
2168	wmirpcf.exe
1524	wmirpcf.exe
796	wmirpcf.exe
1628	wmirpcf.exe
308	wmirpcf.exe
348	wmirpcf.exe
2064	wmirpcf.exe
2240	wmirpcf.exe
1532	wmirpcf.exe
1712	wmirpcf.exe
2492	wmirpcf.exe
748	wmirpcf.exe
1764	wmirpcf.exe
2500	wmirpcf.exe
2572	wmirpcf.exe
2760	wmirpcf.exe
1936	wmirpcf.exe
3000	wmirpcf.exe
2448	wmirpcf.exe
828	wmirpcf.exe
1704	wmirpcf.exe
2252	wmirpcf.exe
568	wmirpcf.exe
1524	wmirpcf.exe
796	wmirpcf.exe
2360	wmirpcf.exe
1340	wmirpcf.exe
1224	wmirpcf.exe
1652	wmirpcf.exe
448	wmirpcf.exe
2324	wmirpcf.exe
1668	wmirpcf.exe
2288	wmirpcf.exe
624	wmirpcf.exe
1508	wmirpcf.exe
2564	wmirpcf.exe
2552	wmirpcf.exe
1832	wmirpcf.exe
1928	wmirpcf.exe
2244	wmirpcf.exe
1708	wmirpcf.exe
2324	wmirpcf.exe
1480	wmirpcf.exe
2580	wmirpcf.exe
748	wmirpcf.exe
2712	wmirpcf.exe
2832	wmirpcf.exe
2100	wmirpcf.exe
2660	wmirpcf.exe
484	wmirpcf.exe
2200	wmirpcf.exe
1648	wmirpcf.exe
2536	wmirpcf.exe
2236	wmirpcf.exe
1720	wmirpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2172 wrote to memory of 2216	2172	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	31
PID 2216 wrote to memory of 3008	2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	32
PID 2216 wrote to memory of 3008	2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	32
PID 2216 wrote to memory of 3008	2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	32
PID 2216 wrote to memory of 3008	2216	e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe	32
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 3008 wrote to memory of 2864	3008	wmirpcf.exe	33
PID 2864 wrote to memory of 264	2864	wmirpcf.exe	34
PID 2864 wrote to memory of 264	2864	wmirpcf.exe	34
PID 2864 wrote to memory of 264	2864	wmirpcf.exe	34
PID 2864 wrote to memory of 264	2864	wmirpcf.exe	34
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 264 wrote to memory of 2260	264	wmirpcf.exe	35
PID 2260 wrote to memory of 2188	2260	wmirpcf.exe	36
PID 2260 wrote to memory of 2188	2260	wmirpcf.exe	36
PID 2260 wrote to memory of 2188	2260	wmirpcf.exe	36
PID 2260 wrote to memory of 2188	2260	wmirpcf.exe	36
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2188 wrote to memory of 2836	2188	wmirpcf.exe	37
PID 2836 wrote to memory of 540	2836	wmirpcf.exe	38
PID 2836 wrote to memory of 540	2836	wmirpcf.exe	38
PID 2836 wrote to memory of 540	2836	wmirpcf.exe	38
PID 2836 wrote to memory of 540	2836	wmirpcf.exe	38
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 540 wrote to memory of 2988	540	wmirpcf.exe	39
PID 2988 wrote to memory of 2096	2988	wmirpcf.exe	40
PID 2988 wrote to memory of 2096	2988	wmirpcf.exe	40
PID 2988 wrote to memory of 2096	2988	wmirpcf.exe	40
PID 2988 wrote to memory of 2096	2988	wmirpcf.exe	40
PID 2096 wrote to memory of 1788	2096	wmirpcf.exe	41
PID 2096 wrote to memory of 1788	2096	wmirpcf.exe	41
PID 2096 wrote to memory of 1788	2096	wmirpcf.exe	41
PID 2096 wrote to memory of 1788	2096	wmirpcf.exe	41

C:\Users\Admin\AppData\Local\Temp\e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
"C:\Users\Admin\AppData\Local\Temp\e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
  C:\Users\Admin\AppData\Local\Temp\e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5cN.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\wmirpcf.exe
    "C:\Windows\system32\wmirpcf.exe" C:\Users\Admin\AppData\Local\Temp\E7E37B~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\wmirpcf.exe
      C:\Windows\SysWOW64\wmirpcf.exe C:\Users\Admin\AppData\Local\Temp\E7E37B~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:308
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        68⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        69⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        72⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        74⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        75⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        76⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2092
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1236
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        81⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        83⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        85⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        88⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        90⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        92⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        94⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        95⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        97⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        98⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        99⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        100⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:300
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        102⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        104⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        110⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        111⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        112⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        113⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        114⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        118⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        121⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        122⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        125⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        126⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:744
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        127⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        128⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        131⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        132⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        133⤵
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        134⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        136⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        137⤵
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        138⤵
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        139⤵
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        140⤵
        
        PID:484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        142⤵
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmirpcf.exe

Filesize
220KB

MD5
b493cf0fe1f93895aca6b6834edb62b0

SHA1
2af8f287ce851f3d11b1f0a5ca33f6bba1d612ca

SHA256
e7e37b61aac7b9e44c65493187584f285ef5986e2c44f7747663971f60d34b5c

SHA512
d4159d22f90cfbe7601a51edfb3411d2589c21f5cb4955270b3eb84878fb9bbf975ac0dac917a34865da13422979f53a54008cf5a26735b3368408145cdc254a

Download Submit
memory/300-953-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/300-958-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/320-919-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/320-922-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/540-331-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/752-755-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/752-760-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/764-492-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/832-185-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/856-868-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/856-863-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/988-809-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/988-814-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1040-564-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1040-559-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1140-791-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1140-796-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1236-778-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1236-773-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1260-546-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1260-541-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1440-904-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1440-899-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1532-577-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1532-582-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-362-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-367-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1640-635-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1640-630-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-976-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-971-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1788-134-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1788-142-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1836-231-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1852-434-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1852-439-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2028-724-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-599-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2088-523-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2088-528-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-737-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2092-742-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-421-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-416-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2140-888-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2140-881-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2172-832-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2172-827-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2172-2-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2176-941-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2176-935-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2188-308-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2188-316-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-33-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-9-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-3-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-18-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-16-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-17-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2216-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2256-684-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2256-689-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2260-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2260-75-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2292-612-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2292-617-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2364-158-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2364-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2400-344-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2400-350-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2440-403-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2440-398-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2512-993-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2540-199-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2540-208-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2596-850-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2596-845-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2612-665-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2612-672-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2676-253-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2676-243-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-457-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-452-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2752-707-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2752-702-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2768-470-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2768-475-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2792-653-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2792-648-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2836-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2836-92-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2864-46-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2864-47-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2864-48-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2864-49-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2864-55-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2916-272-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2924-385-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2924-380-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2968-286-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2968-294-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2988-112-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2988-119-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3064-510-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3064-505-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download