metasploit | d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
Size

220KB
MD5

30e73f871d7eea01c3b848e2c89142b4
SHA1

81a18f8c3df46c501af7f555b6a42f55f9601c7d
SHA256

d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7
SHA512

4b505debb845bd6196cac0e29bc4b0b806f2ea47109c2b1ad8bf8456ef1993ca6bb78db167426ea88dc57c6773056af0f69acce51531d5f250a489082e0cdf90
SSDEEP

6144:t1JIfielipuGOMlliO1DmWIgff9aGzde4qz7:t1JKi8ciYq0fZzqz7

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2796	wmirpcf.exe

Executes dropped EXE 64 IoCs

pid	Process
2428	wmirpcf.exe
2796	wmirpcf.exe
2756	wmirpcf.exe
2588	wmirpcf.exe
2640	wmirpcf.exe
2020	wmirpcf.exe
800	wmirpcf.exe
1660	wmirpcf.exe
1724	wmirpcf.exe
2920	wmirpcf.exe
2952	wmirpcf.exe
2044	wmirpcf.exe
1840	wmirpcf.exe
1536	wmirpcf.exe
936	wmirpcf.exe
1592	wmirpcf.exe
2100	wmirpcf.exe
2132	wmirpcf.exe
1632	wmirpcf.exe
1636	wmirpcf.exe
2292	wmirpcf.exe
1668	wmirpcf.exe
2716	wmirpcf.exe
2656	wmirpcf.exe
2608	wmirpcf.exe
1248	wmirpcf.exe
1996	wmirpcf.exe
868	wmirpcf.exe
1440	wmirpcf.exe
616	wmirpcf.exe
1724	wmirpcf.exe
2988	wmirpcf.exe
3036	wmirpcf.exe
1300	wmirpcf.exe
1404	wmirpcf.exe
900	wmirpcf.exe
936	wmirpcf.exe
488	wmirpcf.exe
1620	wmirpcf.exe
272	wmirpcf.exe
2188	wmirpcf.exe
2672	wmirpcf.exe
2104	wmirpcf.exe
2260	wmirpcf.exe
2744	wmirpcf.exe
2460	wmirpcf.exe
2088	wmirpcf.exe
2312	wmirpcf.exe
1340	wmirpcf.exe
2000	wmirpcf.exe
1992	wmirpcf.exe
2984	wmirpcf.exe
1912	wmirpcf.exe
800	wmirpcf.exe
2632	wmirpcf.exe
408	wmirpcf.exe
2176	wmirpcf.exe
944	wmirpcf.exe
532	wmirpcf.exe
1208	wmirpcf.exe
2936	wmirpcf.exe
2528	wmirpcf.exe
2008	wmirpcf.exe
1532	wmirpcf.exe

Loads dropped DLL 64 IoCs

pid	Process
2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
2428	wmirpcf.exe
2796	wmirpcf.exe
2796	wmirpcf.exe
2588	wmirpcf.exe
2588	wmirpcf.exe
2020	wmirpcf.exe
2020	wmirpcf.exe
1660	wmirpcf.exe
1660	wmirpcf.exe
2920	wmirpcf.exe
2920	wmirpcf.exe
2044	wmirpcf.exe
2044	wmirpcf.exe
1536	wmirpcf.exe
1536	wmirpcf.exe
1592	wmirpcf.exe
1592	wmirpcf.exe
2132	wmirpcf.exe
2132	wmirpcf.exe
1636	wmirpcf.exe
1636	wmirpcf.exe
1668	wmirpcf.exe
1668	wmirpcf.exe
2656	wmirpcf.exe
2656	wmirpcf.exe
1248	wmirpcf.exe
1248	wmirpcf.exe
868	wmirpcf.exe
868	wmirpcf.exe
616	wmirpcf.exe
616	wmirpcf.exe
2988	wmirpcf.exe
2988	wmirpcf.exe
1300	wmirpcf.exe
1300	wmirpcf.exe
900	wmirpcf.exe
900	wmirpcf.exe
488	wmirpcf.exe
488	wmirpcf.exe
272	wmirpcf.exe
272	wmirpcf.exe
2672	wmirpcf.exe
2672	wmirpcf.exe
2260	wmirpcf.exe
2260	wmirpcf.exe
2460	wmirpcf.exe
2460	wmirpcf.exe
2312	wmirpcf.exe
2312	wmirpcf.exe
2000	wmirpcf.exe
2000	wmirpcf.exe
2984	wmirpcf.exe
2984	wmirpcf.exe
800	wmirpcf.exe
800	wmirpcf.exe
408	wmirpcf.exe
408	wmirpcf.exe
944	wmirpcf.exe
944	wmirpcf.exe
1208	wmirpcf.exe
1208	wmirpcf.exe
2528	wmirpcf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File opened for modification	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe
File created	C:\Windows\SysWOW64\wmirpcf.exe	wmirpcf.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2428 set thread context of 2796	2428	wmirpcf.exe	32
PID 2756 set thread context of 2588	2756	wmirpcf.exe	34
PID 2640 set thread context of 2020	2640	wmirpcf.exe	36
PID 800 set thread context of 1660	800	wmirpcf.exe	38
PID 1724 set thread context of 2920	1724	wmirpcf.exe	40
PID 2952 set thread context of 2044	2952	wmirpcf.exe	43
PID 1840 set thread context of 1536	1840	wmirpcf.exe	45
PID 936 set thread context of 1592	936	wmirpcf.exe	47
PID 2100 set thread context of 2132	2100	wmirpcf.exe	49
PID 1632 set thread context of 1636	1632	wmirpcf.exe	51
PID 2292 set thread context of 1668	2292	wmirpcf.exe	53
PID 2716 set thread context of 2656	2716	wmirpcf.exe	55
PID 2608 set thread context of 1248	2608	wmirpcf.exe	57
PID 1996 set thread context of 868	1996	wmirpcf.exe	59
PID 1440 set thread context of 616	1440	wmirpcf.exe	61
PID 1724 set thread context of 2988	1724	wmirpcf.exe	63
PID 3036 set thread context of 1300	3036	wmirpcf.exe	65
PID 1404 set thread context of 900	1404	wmirpcf.exe	67
PID 936 set thread context of 488	936	wmirpcf.exe	69
PID 1620 set thread context of 272	1620	wmirpcf.exe	71
PID 2188 set thread context of 2672	2188	wmirpcf.exe	73
PID 2104 set thread context of 2260	2104	wmirpcf.exe	75
PID 2744 set thread context of 2460	2744	wmirpcf.exe	77
PID 2088 set thread context of 2312	2088	wmirpcf.exe	79
PID 1340 set thread context of 2000	1340	wmirpcf.exe	81
PID 1992 set thread context of 2984	1992	wmirpcf.exe	83
PID 1912 set thread context of 800	1912	wmirpcf.exe	85
PID 2632 set thread context of 408	2632	wmirpcf.exe	87
PID 2176 set thread context of 944	2176	wmirpcf.exe	89
PID 532 set thread context of 1208	532	wmirpcf.exe	91
PID 2936 set thread context of 2528	2936	wmirpcf.exe	93
PID 2008 set thread context of 1532	2008	wmirpcf.exe	95
PID 1884 set thread context of 2300	1884	wmirpcf.exe	97
PID 2600 set thread context of 2292	2600	wmirpcf.exe	99
PID 2668 set thread context of 2116	2668	wmirpcf.exe	101
PID 1484 set thread context of 1716	1484	wmirpcf.exe	103
PID 2012 set thread context of 2688	2012	wmirpcf.exe	105
PID 2768 set thread context of 2776	2768	wmirpcf.exe	107
PID 2096 set thread context of 872	2096	wmirpcf.exe	109
PID 3036 set thread context of 2144	3036	wmirpcf.exe	111
PID 1892 set thread context of 532	1892	wmirpcf.exe	113
PID 1448 set thread context of 988	1448	wmirpcf.exe	115
PID 880 set thread context of 1516	880	wmirpcf.exe	117
PID 1884 set thread context of 2304	1884	wmirpcf.exe	119
PID 2748 set thread context of 2616	2748	wmirpcf.exe	121
PID 2664 set thread context of 2608	2664	wmirpcf.exe	123
PID 1484 set thread context of 112	1484	wmirpcf.exe	125
PID 1000 set thread context of 1200	1000	wmirpcf.exe	127
PID 2964 set thread context of 2992	2964	wmirpcf.exe	129
PID 3024 set thread context of 1020	3024	wmirpcf.exe	131
PID 1928 set thread context of 1404	1928	wmirpcf.exe	133
PID 1952 set thread context of 1136	1952	wmirpcf.exe	135
PID 1672 set thread context of 1616	1672	wmirpcf.exe	137
PID 2288 set thread context of 2328	2288	wmirpcf.exe	139
PID 932 set thread context of 1348	932	wmirpcf.exe	141
PID 2444 set thread context of 2872	2444	wmirpcf.exe	143
PID 2636 set thread context of 2652	2636	wmirpcf.exe	145
PID 2604 set thread context of 2184	2604	wmirpcf.exe	147
PID 1428 set thread context of 1344	1428	wmirpcf.exe	149
PID 2828 set thread context of 2680	2828	wmirpcf.exe	151
PID 2096 set thread context of 2928	2096	wmirpcf.exe	153
PID 948 set thread context of 1540	948	wmirpcf.exe	155
PID 2224 set thread context of 2076	2224	wmirpcf.exe	157

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-5-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-7-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-9-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-15-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-17-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-18-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-16-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-14-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2504-32-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2796-47-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2796-48-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2796-49-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2796-54-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2588-71-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2588-70-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2588-68-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2588-69-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2588-77-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2020-99-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1660-120-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2920-141-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2044-165-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1536-184-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1592-205-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2132-229-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1636-248-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1668-269-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2656-290-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1248-310-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/868-322-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/868-328-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/616-345-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2988-362-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1300-379-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/900-396-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/488-413-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/272-432-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2672-447-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2260-464-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2460-481-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2312-498-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2000-515-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2984-532-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/800-549-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/408-566-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/944-583-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1208-600-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2528-617-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1532-635-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2300-652-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2292-669-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2116-686-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1716-703-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2688-720-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2776-737-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/872-754-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2144-771-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/532-788-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/988-805-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1516-822-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2304-839-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2616-856-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2608-873-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/112-890-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmirpcf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	wmirpcf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
2796	wmirpcf.exe
2588	wmirpcf.exe
2020	wmirpcf.exe
1660	wmirpcf.exe
2920	wmirpcf.exe
2044	wmirpcf.exe
1536	wmirpcf.exe
1592	wmirpcf.exe
2132	wmirpcf.exe
1636	wmirpcf.exe
1668	wmirpcf.exe
2656	wmirpcf.exe
1248	wmirpcf.exe
868	wmirpcf.exe
616	wmirpcf.exe
2988	wmirpcf.exe
1300	wmirpcf.exe
900	wmirpcf.exe
488	wmirpcf.exe
272	wmirpcf.exe
2672	wmirpcf.exe
2260	wmirpcf.exe
2460	wmirpcf.exe
2312	wmirpcf.exe
2000	wmirpcf.exe
2984	wmirpcf.exe
800	wmirpcf.exe
408	wmirpcf.exe
944	wmirpcf.exe
1208	wmirpcf.exe
2528	wmirpcf.exe
2300	wmirpcf.exe
2292	wmirpcf.exe
2116	wmirpcf.exe
1716	wmirpcf.exe
2688	wmirpcf.exe
2776	wmirpcf.exe
872	wmirpcf.exe
2144	wmirpcf.exe
532	wmirpcf.exe
988	wmirpcf.exe
1516	wmirpcf.exe
2304	wmirpcf.exe
2616	wmirpcf.exe
2608	wmirpcf.exe
112	wmirpcf.exe
1200	wmirpcf.exe
2992	wmirpcf.exe
1020	wmirpcf.exe
1404	wmirpcf.exe
1136	wmirpcf.exe
1616	wmirpcf.exe
2328	wmirpcf.exe
1348	wmirpcf.exe
2872	wmirpcf.exe
2652	wmirpcf.exe
2184	wmirpcf.exe
1344	wmirpcf.exe
2680	wmirpcf.exe
2928	wmirpcf.exe
1540	wmirpcf.exe
2076	wmirpcf.exe
1684	wmirpcf.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
2428	wmirpcf.exe
2756	wmirpcf.exe
2640	wmirpcf.exe
800	wmirpcf.exe
1724	wmirpcf.exe
2952	wmirpcf.exe
1840	wmirpcf.exe
936	wmirpcf.exe
2100	wmirpcf.exe
1632	wmirpcf.exe
2292	wmirpcf.exe
2716	wmirpcf.exe
2608	wmirpcf.exe
1996	wmirpcf.exe
1440	wmirpcf.exe
1724	wmirpcf.exe
3036	wmirpcf.exe
1404	wmirpcf.exe
936	wmirpcf.exe
1620	wmirpcf.exe
2188	wmirpcf.exe
2104	wmirpcf.exe
2744	wmirpcf.exe
2088	wmirpcf.exe
1340	wmirpcf.exe
1992	wmirpcf.exe
1912	wmirpcf.exe
2632	wmirpcf.exe
2176	wmirpcf.exe
532	wmirpcf.exe
2936	wmirpcf.exe
2008	wmirpcf.exe
1884	wmirpcf.exe
2600	wmirpcf.exe
2668	wmirpcf.exe
1484	wmirpcf.exe
2012	wmirpcf.exe
2768	wmirpcf.exe
2096	wmirpcf.exe
3036	wmirpcf.exe
1892	wmirpcf.exe
1448	wmirpcf.exe
880	wmirpcf.exe
1884	wmirpcf.exe
2748	wmirpcf.exe
2664	wmirpcf.exe
1484	wmirpcf.exe
1000	wmirpcf.exe
2964	wmirpcf.exe
3024	wmirpcf.exe
1928	wmirpcf.exe
1952	wmirpcf.exe
1672	wmirpcf.exe
2288	wmirpcf.exe
932	wmirpcf.exe
2444	wmirpcf.exe
2636	wmirpcf.exe
2604	wmirpcf.exe
1428	wmirpcf.exe
2828	wmirpcf.exe
2096	wmirpcf.exe
948	wmirpcf.exe
2224	wmirpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2268 wrote to memory of 2504	2268	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	30
PID 2504 wrote to memory of 2428	2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	31
PID 2504 wrote to memory of 2428	2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	31
PID 2504 wrote to memory of 2428	2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	31
PID 2504 wrote to memory of 2428	2504	d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe	31
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2428 wrote to memory of 2796	2428	wmirpcf.exe	32
PID 2796 wrote to memory of 2756	2796	wmirpcf.exe	33
PID 2796 wrote to memory of 2756	2796	wmirpcf.exe	33
PID 2796 wrote to memory of 2756	2796	wmirpcf.exe	33
PID 2796 wrote to memory of 2756	2796	wmirpcf.exe	33
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2756 wrote to memory of 2588	2756	wmirpcf.exe	34
PID 2588 wrote to memory of 2640	2588	wmirpcf.exe	35
PID 2588 wrote to memory of 2640	2588	wmirpcf.exe	35
PID 2588 wrote to memory of 2640	2588	wmirpcf.exe	35
PID 2588 wrote to memory of 2640	2588	wmirpcf.exe	35
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2640 wrote to memory of 2020	2640	wmirpcf.exe	36
PID 2020 wrote to memory of 800	2020	wmirpcf.exe	37
PID 2020 wrote to memory of 800	2020	wmirpcf.exe	37
PID 2020 wrote to memory of 800	2020	wmirpcf.exe	37
PID 2020 wrote to memory of 800	2020	wmirpcf.exe	37
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 800 wrote to memory of 1660	800	wmirpcf.exe	38
PID 1660 wrote to memory of 1724	1660	wmirpcf.exe	39
PID 1660 wrote to memory of 1724	1660	wmirpcf.exe	39
PID 1660 wrote to memory of 1724	1660	wmirpcf.exe	39
PID 1660 wrote to memory of 1724	1660	wmirpcf.exe	39
PID 1724 wrote to memory of 2920	1724	wmirpcf.exe	40
PID 1724 wrote to memory of 2920	1724	wmirpcf.exe	40
PID 1724 wrote to memory of 2920	1724	wmirpcf.exe	40
PID 1724 wrote to memory of 2920	1724	wmirpcf.exe	40

C:\Users\Admin\AppData\Local\Temp\d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
"C:\Users\Admin\AppData\Local\Temp\d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
  C:\Users\Admin\AppData\Local\Temp\d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\wmirpcf.exe
    "C:\Windows\system32\wmirpcf.exe" C:\Users\Admin\AppData\Local\Temp\D2336F~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\wmirpcf.exe
      C:\Windows\SysWOW64\wmirpcf.exe C:\Users\Admin\AppData\Local\Temp\D2336F~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1248
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:488
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:272
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1208
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        67⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        71⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        73⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        75⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        76⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        77⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        78⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        80⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        81⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2144
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        84⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:532
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        85⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        86⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        87⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        88⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        90⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        92⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        93⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        94⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        95⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        96⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        97⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        98⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        99⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        100⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        101⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        102⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        105⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        106⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        108⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        109⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        110⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        112⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        113⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        114⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        116⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        117⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        118⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        120⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        121⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        122⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        123⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2928
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        126⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        127⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        128⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        129⤵
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        130⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        131⤵
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        133⤵
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        135⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        138⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        139⤵
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        140⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        144⤵
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        "C:\Windows\system32\wmirpcf.exe" C:\Windows\SysWOW64\wmirpcf.exe
        145⤵
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\wmirpcf.exe
        
        C:\Windows\SysWOW64\wmirpcf.exe C:\Windows\SysWOW64\wmirpcf.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmirpcf.exe

Filesize
220KB

MD5
30e73f871d7eea01c3b848e2c89142b4

SHA1
81a18f8c3df46c501af7f555b6a42f55f9601c7d

SHA256
d2336f1b087906acf7687031caa9b17d9bbe44d14abec76039e45112ac2f92a7

SHA512
4b505debb845bd6196cac0e29bc4b0b806f2ea47109c2b1ad8bf8456ef1993ca6bb78db167426ea88dc57c6773056af0f69acce51531d5f250a489082e0cdf90

Download Submit
memory/112-890-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/272-432-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/408-566-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/488-413-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/532-788-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/616-345-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/800-549-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/868-322-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/868-328-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/872-754-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/900-396-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/944-583-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/988-805-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1020-941-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1136-975-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1200-907-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1208-600-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1248-310-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1300-379-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1344-1094-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1348-1026-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1404-958-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1516-822-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1532-635-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1536-184-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1540-1145-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1592-205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1616-992-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1636-248-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1660-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1668-269-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1684-1179-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1716-703-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1896-1264-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2000-515-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2020-99-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2044-165-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2076-1162-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2116-686-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2132-229-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2144-771-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2184-1077-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2260-464-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2268-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2292-669-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2300-652-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2304-839-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2312-498-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2328-1009-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2412-1196-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2436-1213-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2460-481-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2472-1299-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-9-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-3-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2504-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-16-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-17-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2504-18-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2528-617-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2588-68-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2588-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2588-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2588-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2588-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2608-873-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2616-856-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2652-1060-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2656-290-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2664-1249-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2672-447-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2680-1113-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2688-720-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2716-1230-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2776-737-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2796-47-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2796-48-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2796-54-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2796-49-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2864-1281-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2872-1043-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2920-141-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2928-1128-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2984-532-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2988-362-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2992-925-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download