pony | c896265abc789bcb9d7ba5e24447f7d4ddc49e1e88e8f998309885fbfc5f4981

Analysis

max time kernel
62s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Size

206KB
MD5

5f49d2bcf1621856d5021a5bd4d1dab0
SHA1

1fd0f73903ba2aa05c240b6fd639c0549a5ccf27
SHA256

c896265abc789bcb9d7ba5e24447f7d4ddc49e1e88e8f998309885fbfc5f4981
SHA512

a66a88914e0c2e18556c809f295efea4728ff3e6ba8c259be27d8b3a4133fe983a74ae11119d2738d888b96ec0e3a945d0d252af01e9930795abf8c78afb1235
SSDEEP

6144:DjhYOkUk+66TS/ZM07QnwTTnGLAIEPlR:JN++6+nwTTGk7lR

Score

10^/10

pony collection credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://kalunta.esy.es/pony/gate.php

Attributes

payload_url
http://kalunta.esy.es/pony/kalu.exe

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	isshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dslsvc.exe

Executes dropped EXE 27 IoCs

pid	Process
3172	isshost.exe
2764	dslsvc.exe
4448	dslsvc.exe
3512	isshost.exe
3584	dslsvc.exe
4520	dslsvc.exe
3980	dslsvc.exe
4456	dslsvc.exe
3028	dslsvc.exe
3232	dslsvc.exe
3772	dslsvc.exe
3024	dslsvc.exe
2268	dslsvc.exe
4412	dslsvc.exe
4080	dslsvc.exe
776	dslsvc.exe
1636	dslsvc.exe
4284	dslsvc.exe
852	dslsvc.exe
3924	dslsvc.exe
2428	dslsvc.exe
4688	dslsvc.exe
2112	dslsvc.exe
2228	dslsvc.exe
3580	dslsvc.exe
3960	dslsvc.exe
4224	dslsvc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 18 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dslsvc.exe

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 2764 set thread context of 4448	2764	dslsvc.exe	94
PID 2764 set thread context of 3584	2764	dslsvc.exe	100
PID 2764 set thread context of 4520	2764	dslsvc.exe	104
PID 2764 set thread context of 3980	2764	dslsvc.exe	110
PID 2764 set thread context of 4456	2764	dslsvc.exe	115
PID 2764 set thread context of 3028	2764	dslsvc.exe	119
PID 2764 set thread context of 3232	2764	dslsvc.exe	124
PID 2764 set thread context of 3772	2764	dslsvc.exe	125
PID 2764 set thread context of 3024	2764	dslsvc.exe	130
PID 2764 set thread context of 2268	2764	dslsvc.exe	133
PID 2764 set thread context of 4412	2764	dslsvc.exe	137
PID 2764 set thread context of 4080	2764	dslsvc.exe	141
PID 2764 set thread context of 776	2764	dslsvc.exe	144
PID 2764 set thread context of 1636	2764	dslsvc.exe	148
PID 2764 set thread context of 4284	2764	dslsvc.exe	149
PID 2764 set thread context of 852	2764	dslsvc.exe	154
PID 2764 set thread context of 3924	2764	dslsvc.exe	155
PID 2764 set thread context of 2428	2764	dslsvc.exe	156
PID 2764 set thread context of 4688	2764	dslsvc.exe	161
PID 2764 set thread context of 2112	2764	dslsvc.exe	164
PID 2764 set thread context of 2228	2764	dslsvc.exe	167
PID 2764 set thread context of 3580	2764	dslsvc.exe	170
PID 2764 set thread context of 3960	2764	dslsvc.exe	171
PID 2764 set thread context of 4224	2764	dslsvc.exe	174

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5012-6-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5012-11-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5012-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5012-35-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3584-42-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3584-43-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
3172	isshost.exe
4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
3172	isshost.exe
4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
2764	dslsvc.exe
2764	dslsvc.exe
2764	dslsvc.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
2764	dslsvc.exe
2764	dslsvc.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
2764	dslsvc.exe
2764	dslsvc.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe
3512	isshost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeImpersonatePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeTcbPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeChangeNotifyPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeCreateTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeBackupPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeRestorePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeIncreaseQuotaPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeAssignPrimaryTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeDebugPrivilege	3172	isshost.exe
Token: SeDebugPrivilege	2764	dslsvc.exe
Token: SeImpersonatePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeTcbPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeChangeNotifyPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeCreateTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeBackupPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeRestorePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeIncreaseQuotaPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeAssignPrimaryTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeImpersonatePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeTcbPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeChangeNotifyPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeCreateTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeBackupPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeRestorePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeIncreaseQuotaPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeAssignPrimaryTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeImpersonatePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeTcbPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeChangeNotifyPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeCreateTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeBackupPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeRestorePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeIncreaseQuotaPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeAssignPrimaryTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeImpersonatePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeTcbPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeChangeNotifyPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeCreateTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeBackupPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeRestorePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeIncreaseQuotaPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeAssignPrimaryTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeImpersonatePrivilege	4448	dslsvc.exe
Token: SeTcbPrivilege	4448	dslsvc.exe
Token: SeChangeNotifyPrivilege	4448	dslsvc.exe
Token: SeCreateTokenPrivilege	4448	dslsvc.exe
Token: SeBackupPrivilege	4448	dslsvc.exe
Token: SeRestorePrivilege	4448	dslsvc.exe
Token: SeIncreaseQuotaPrivilege	4448	dslsvc.exe
Token: SeAssignPrimaryTokenPrivilege	4448	dslsvc.exe
Token: SeImpersonatePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeTcbPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeChangeNotifyPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeCreateTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeBackupPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeRestorePrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeIncreaseQuotaPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeAssignPrimaryTokenPrivilege	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
Token: SeDebugPrivilege	3512	isshost.exe
Token: SeImpersonatePrivilege	4448	dslsvc.exe
Token: SeTcbPrivilege	4448	dslsvc.exe
Token: SeChangeNotifyPrivilege	4448	dslsvc.exe
Token: SeCreateTokenPrivilege	4448	dslsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 396	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	84
PID 4596 wrote to memory of 396	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	84
PID 4596 wrote to memory of 396	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	84
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 5012	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	86
PID 4596 wrote to memory of 3172	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	87
PID 4596 wrote to memory of 3172	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	87
PID 4596 wrote to memory of 3172	4596	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	87
PID 3172 wrote to memory of 3932	3172	isshost.exe	88
PID 3172 wrote to memory of 3932	3172	isshost.exe	88
PID 3172 wrote to memory of 3932	3172	isshost.exe	88
PID 3172 wrote to memory of 2764	3172	isshost.exe	90
PID 3172 wrote to memory of 2764	3172	isshost.exe	90
PID 3172 wrote to memory of 2764	3172	isshost.exe	90
PID 3932 wrote to memory of 3896	3932	cmd.exe	91
PID 3932 wrote to memory of 3896	3932	cmd.exe	91
PID 3932 wrote to memory of 3896	3932	cmd.exe	91
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 4448	2764	dslsvc.exe	94
PID 2764 wrote to memory of 3512	2764	dslsvc.exe	95
PID 2764 wrote to memory of 3512	2764	dslsvc.exe	95
PID 2764 wrote to memory of 3512	2764	dslsvc.exe	95
PID 5012 wrote to memory of 3872	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	96
PID 5012 wrote to memory of 3872	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	96
PID 5012 wrote to memory of 3872	5012	JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe	96
PID 4448 wrote to memory of 2368	4448	dslsvc.exe	98
PID 4448 wrote to memory of 2368	4448	dslsvc.exe	98
PID 4448 wrote to memory of 2368	4448	dslsvc.exe	98
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 2764 wrote to memory of 3584	2764	dslsvc.exe	100
PID 3584 wrote to memory of 3596	3584	dslsvc.exe	102
PID 3584 wrote to memory of 3596	3584	dslsvc.exe	102
PID 3584 wrote to memory of 3596	3584	dslsvc.exe	102
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 4520	2764	dslsvc.exe	104
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 2764 wrote to memory of 3980	2764	dslsvc.exe	110
PID 3980 wrote to memory of 4352	3980	dslsvc.exe	113
PID 3980 wrote to memory of 4352	3980	dslsvc.exe	113

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dslsvc.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240623000.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f49d2bcf1621856d5021a5bd4d1dab0.exe" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3896
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240623640.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3512
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240624390.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:4520
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240631937.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:4456
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240638250.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:3232
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:3772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240644562.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240645328.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240646062.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240649234.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240650078.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240650875.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:1636
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:4284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240655796.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:216
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:852
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:3924
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240666093.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:4688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240666859.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240668046.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240671203.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      PID:3580
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:3960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240677359.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      outlook_win_path
      PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240678250.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:3560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240679265.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2332
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240682468.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1216
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240683375.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:1668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240688796.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:948
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3720
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240700640.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2068
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240701625.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2864
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240704765.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2204
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240705515.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:3228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240706406.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1224
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240707250.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1664
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240710468.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:4596
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:1348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240711515.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:3488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3796
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240713968.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2548
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240721296.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1688
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240726437.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2800
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240727375.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1164
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240728390.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:736
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240731671.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:1108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240732609.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5116
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240737890.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:5208
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240738953.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:5328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240739953.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:5448
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240743265.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:5576
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5604
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240749156.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:6000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:6028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240750234.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:6128
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:2992
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240754109.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:5300
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240759453.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:1684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:5640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240760531.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:4564
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240763890.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:6076
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240764765.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe" "
        5⤵
        
        PID:2304
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe"
      4⤵
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\isshost.exe.log

Filesize
308B

MD5
1941623a471e15f0e2ca7dbadd577fdc

SHA1
f7df5d8a54a66191bb1a4518c9cddb3fd61f225b

SHA256
19a17b2ee8664b5dc68810ee4bca9bfe4370ce7bd3d640fa3bd0fa03efc45f6f

SHA512
6e33e3955340711e3e36c36c30eb869003e361083eed1f3ca914d1085f9477a1f9f94010b9834e8ec5580de8ddb33c3256791d5f6fd7c3a1636c6963de309e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\240623000.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dslsvc.exe

Filesize
206KB

MD5
5f49d2bcf1621856d5021a5bd4d1dab0

SHA1
1fd0f73903ba2aa05c240b6fd639c0549a5ccf27

SHA256
c896265abc789bcb9d7ba5e24447f7d4ddc49e1e88e8f998309885fbfc5f4981

SHA512
a66a88914e0c2e18556c809f295efea4728ff3e6ba8c259be27d8b3a4133fe983a74ae11119d2738d888b96ec0e3a945d0d252af01e9930795abf8c78afb1235

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\isshost.exe

Filesize
14KB

MD5
d55813126555ac09292c893e1ffcad44

SHA1
9a47b6b9488fcfffcc12626cc874156726ab0453

SHA256
38fc0e13274060565a0c262a417106ba3224256e5a1da97b908f365a74a11f29

SHA512
90773db9640979b7f002b56f4e3ef84a6ab9d4467e6e73eb444bcae2d1ae5a0dd757a616e321caaefaac586238488ce19abe7b9e908af7613529a74279eede47

Download Submit
memory/3172-14-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/3172-20-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-15-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-16-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-43-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3584-42-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4596-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/4596-22-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/5012-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5012-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5012-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5012-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download