netwire | 0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225

Analysis

max time kernel
106s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
Size

118KB
MD5

c2f29e7622b41f880b6bda678e7a5584
SHA1

42713213d71d7b8c57e3c79798ce6b99e41889e8
SHA256

0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225
SHA512

7177a3632486db69854dff5342e1a10258cabdbfe6077337d734a170cdee1a3f00c65c8f47e45bc26aef7f28c53874f760ec345d1ecbbdfe8d33f8d5b629600b
SSDEEP

3072:++z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:Jz75nrz286+RMaLVRgjahKoS

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Malware Config

Extracted

Family

netwire

imemerit.servehttp.com:3360

Attributes

activex_autorun
true
activex_key
{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
TIrKHSHH
offline_keylogger
true
password
`+8n0x<gT)\"Lu5"'A`c?$H="
registry_autorun
true
startup_name
FirstRowAli
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4280-101-0x0000000000400000-0x000000000041A000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}	FirstRow.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I78G8V27-88UF-2L1T-8064-2S8723OVASE8}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif\""	FirstRow.pif

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FirstRow.pif

Executes dropped EXE 4 IoCs

pid	Process
2312	FirstRow.pif
3364	FirstRow.pif
2680	FirstRow.pif
4280	FirstRow.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FirstRowAli = "C:\\Users\\Admin\\AppData\\Roaming\\FirstRow.pif"	FirstRow.pif

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 set thread context of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 2312 set thread context of 3364	2312	FirstRow.pif	99
PID 2312 set thread context of 2680	2312	FirstRow.pif	100
PID 2312 set thread context of 4280	2312	FirstRow.pif	111

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1368-0-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1368-7-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/2316-13-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1392-24-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2316-27-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1392-26-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/1392-21-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2316-17-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1368-33-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-40.dat	upx
behavioral2/memory/1392-43-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2312-41-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/2316-46-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2316-47-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2312-49-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/2316-68-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4280-77-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2312-76-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/4280-78-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4280-79-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3364-81-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2680-87-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2316-95-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4280-101-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2316-120-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2316-139-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2316-158-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2316-244-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2316-282-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 38 IoCs

pid	pid_target	Process	procid_target
3712	2984	WerFault.exe	104
1564	4428	WerFault.exe	109
2940	4620	WerFault.exe	114
3684	2108	WerFault.exe	118
1572	4544	WerFault.exe	123
2720	3492	WerFault.exe	127
1088	3328	WerFault.exe	131
3184	2708	WerFault.exe	135
5084	720	WerFault.exe	139
1760	1624	WerFault.exe	143
212	2276	WerFault.exe	147
1432	628	WerFault.exe	151
1372	4336	WerFault.exe	155
2808	3976	WerFault.exe	159
2240	3644	WerFault.exe	163
5008	4128	WerFault.exe	167
4756	2788	WerFault.exe	171
1964	3580	WerFault.exe	175
2800	2084	WerFault.exe	179
2716	3992	WerFault.exe	183
4368	3892	WerFault.exe	187
3852	4768	WerFault.exe	191
4380	4136	WerFault.exe	195
4292	1052	WerFault.exe	199
3596	952	WerFault.exe	203
1184	2176	WerFault.exe	207
4408	3528	WerFault.exe	211
468	4692	WerFault.exe	215
2600	2184	WerFault.exe	219
2800	4996	WerFault.exe	223
2852	1056	WerFault.exe	227
1936	1660	WerFault.exe	231
3112	1744	WerFault.exe	235
3684	4852	WerFault.exe	239
1572	3840	WerFault.exe	243
4980	3356	WerFault.exe	247
5016	3480	WerFault.exe	251
2812	4456	WerFault.exe	255

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirstRow.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirstRow.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirstRow.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirstRow.pif

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3492	ipconfig.exe
5008	ipconfig.exe
1688	ipconfig.exe
1004	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif
Token: SeDebugPrivilege	2680	FirstRow.pif

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
1392	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
2312	FirstRow.pif
3364	FirstRow.pif
2680	FirstRow.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3492	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	85
PID 1368 wrote to memory of 3492	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	85
PID 1368 wrote to memory of 3492	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	85
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 2316	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	87
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 1368 wrote to memory of 1392	1368	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	88
PID 2316 wrote to memory of 5008	2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	89
PID 2316 wrote to memory of 5008	2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	89
PID 2316 wrote to memory of 5008	2316	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	89
PID 1392 wrote to memory of 2312	1392	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	92
PID 1392 wrote to memory of 2312	1392	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	92
PID 1392 wrote to memory of 2312	1392	0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe	92
PID 2312 wrote to memory of 1688	2312	FirstRow.pif	98
PID 2312 wrote to memory of 1688	2312	FirstRow.pif	98
PID 2312 wrote to memory of 1688	2312	FirstRow.pif	98
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 3364	2312	FirstRow.pif	99
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 2312 wrote to memory of 2680	2312	FirstRow.pif	100
PID 3364 wrote to memory of 1004	3364	FirstRow.pif	102
PID 3364 wrote to memory of 1004	3364	FirstRow.pif	102
PID 3364 wrote to memory of 1004	3364	FirstRow.pif	102
PID 2680 wrote to memory of 2984	2680	FirstRow.pif	104
PID 2680 wrote to memory of 2984	2680	FirstRow.pif	104
PID 2680 wrote to memory of 2984	2680	FirstRow.pif	104
PID 2680 wrote to memory of 2984	2680	FirstRow.pif	104
PID 2680 wrote to memory of 2984	2680	FirstRow.pif	104
PID 2680 wrote to memory of 4428	2680	FirstRow.pif	109
PID 2680 wrote to memory of 4428	2680	FirstRow.pif	109
PID 2680 wrote to memory of 4428	2680	FirstRow.pif	109
PID 2680 wrote to memory of 4428	2680	FirstRow.pif	109
PID 2680 wrote to memory of 4428	2680	FirstRow.pif	109
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111
PID 2312 wrote to memory of 4280	2312	FirstRow.pif	111

C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
"C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /release
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:3492
- C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
  "C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
  "C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Roaming\FirstRow.pif
    "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1688
  - - C:\Users\Admin\AppData\Roaming\FirstRow.pif
      "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1004
  - - C:\Users\Admin\AppData\Roaming\FirstRow.pif
      "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 336
        6⤵
        Program crash
        
        PID:3712
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 336
        6⤵
        Program crash
        
        PID:1564
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 336
        6⤵
        Program crash
        
        PID:2940
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 336
        6⤵
        Program crash
        
        PID:3684
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 336
        6⤵
        Program crash
        
        PID:1572
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 336
        6⤵
        Program crash
        
        PID:2720
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 336
        6⤵
        Program crash
        
        PID:1088
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 336
        6⤵
        Program crash
        
        PID:3184
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 336
        6⤵
        Program crash
        
        PID:5084
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:1624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 336
        6⤵
        Program crash
        
        PID:1760
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 336
        6⤵
        Program crash
        
        PID:212
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 340
        6⤵
        Program crash
        
        PID:1432
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 336
        6⤵
        Program crash
        
        PID:1372
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 336
        6⤵
        Program crash
        
        PID:2808
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 336
        6⤵
        Program crash
        
        PID:2240
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 336
        6⤵
        Program crash
        
        PID:5008
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 340
        6⤵
        Program crash
        
        PID:4756
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 336
        6⤵
        Program crash
        
        PID:1964
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 336
        6⤵
        Program crash
        
        PID:2800
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 336
        6⤵
        Program crash
        
        PID:2716
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 336
        6⤵
        Program crash
        
        PID:4368
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 336
        6⤵
        Program crash
        
        PID:3852
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 336
        6⤵
        Program crash
        
        PID:4380
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:1052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 340
        6⤵
        Program crash
        
        PID:4292
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 340
        6⤵
        Program crash
        
        PID:3596
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 336
        6⤵
        Program crash
        
        PID:1184
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 336
        6⤵
        Program crash
        
        PID:4408
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 336
        6⤵
        Program crash
        
        PID:468
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:2184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 336
        6⤵
        Program crash
        
        PID:2600
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 336
        6⤵
        Program crash
        
        PID:2800
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:1056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 344
        6⤵
        Program crash
        
        PID:2852
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:1660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 336
        6⤵
        Program crash
        
        PID:1936
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:1744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 340
        6⤵
        Program crash
        
        PID:3112
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 340
        6⤵
        Program crash
        
        PID:3684
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 340
        6⤵
        Program crash
        
        PID:1572
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 336
        6⤵
        Program crash
        
        PID:4980
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:3480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 336
        6⤵
        Program crash
        
        PID:5016
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        "C:\Windows\system32\bitsadmin.exe"
        5⤵
        
        PID:4456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 336
        6⤵
        Program crash
        
        PID:2812
  - - C:\Users\Admin\AppData\Roaming\FirstRow.pif
      "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4428 -ip 4428
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4620 -ip 4620
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2108 -ip 2108
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4544 -ip 4544
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3492 -ip 3492
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3328 -ip 3328
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2708 -ip 2708
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 720 -ip 720
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1624 -ip 1624
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2276 -ip 2276
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 628 -ip 628
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4336 -ip 4336
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3976 -ip 3976
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3644 -ip 3644
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4128 -ip 4128
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2788 -ip 2788
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3580 -ip 3580
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2084 -ip 2084
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3992 -ip 3992
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3892 -ip 3892
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4768 -ip 4768
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4136 -ip 4136
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1052 -ip 1052
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 952 -ip 952
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2176 -ip 2176
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3528 -ip 3528
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4692 -ip 4692
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2184 -ip 2184
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4996 -ip 4996
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1056 -ip 1056
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1660 -ip 1660
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1744 -ip 1744
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4852 -ip 4852
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3840 -ip 3840
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3356 -ip 3356
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3480 -ip 3480
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4456 -ip 4456
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TMLTH.txt

Filesize
142B

MD5
f36ef4e2bfb399e9159d71c0806dc34f

SHA1
9ce20868ec14cabf37d77a1995b1399ebf40681d

SHA256
99a012606942fe84a0ed1b09c60ef765cef48e4ba317b3a71595b300ae531cc2

SHA512
ad7cd152f2b8f04aeee6838ccb2cc10675f289f0e4fd0e6175dace10a062655df1ec2a8d5e80ba65e5d6d0237311c91b0fce54c16e7576dc38b3399abc304b0b

Download Submit
C:\Users\Admin\AppData\Roaming\FirstRow.pif

Filesize
118KB

MD5
aaddea69bccad9c0654d2e14fdd083e0

SHA1
3fbcb921138f51790ecfaf80af84b5c172770a05

SHA256
66522b1f3560592b34f0555dc030a6063a6a8145e83c8b3cfa65678e050df931

SHA512
7cf57a601db87868345344affbca43585fd9728a841c7a2c103e45b34b9340b2ee52dc5fa8c498c51c0e1d20e71fd55eda8466f56546ce47ea9a91d8b0e54077

Download Submit
memory/1368-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1368-20-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1368-3-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1368-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1368-10-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1368-9-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1368-12-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1368-11-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1368-5-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1368-33-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1368-6-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1368-16-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1368-18-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/1368-4-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1368-19-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1392-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1392-43-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1392-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1392-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2312-76-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2312-49-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2312-41-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2316-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-282-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-244-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-47-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-87-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3364-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4280-101-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4280-79-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4280-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4280-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download