pony | a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
Size

44KB
MD5

30524e1ace761f2a5666e7165f664f21
SHA1

20f9021c1e7dc473c4e57c420578efc313a474f4
SHA256

a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8
SHA512

013f19dc6d8ab8f1f200e8db1b0c556a97e16a024306fa7b213d5b0518084991859853c4bb445074dcafd83ee284cf426867683761f8f5c47576dbccac71293f
SSDEEP

768:mYgPPd1WarignZzCcncubMDLMfuCb4X/e3heDPdJcEJUkzhGly0BTeWuVJVLwA2x:yHd1/ndjnEDLMmCb4m3herEOUkzh8eZK

Score

10^/10

pony credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://web-notification.in/ifr/z.php?ftp=1

http://web-politician.in/ifr/z.php?ftp=1

http://web-technology.in/ifr/z.php?ftp=1

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 64 IoCs

pid	Process
2748	ss.exe
2896	crrss.exe
2836	crrss.exe
2516	crrss.exe
2588	crrss.exe
2360	crrss.exe
2004	crrss.exe
1844	crrss.exe
2832	crrss.exe
2872	crrss.exe
1348	crrss.exe
1244	crrss.exe
1956	crrss.exe
2036	crrss.exe
1760	crrss.exe
1968	crrss.exe
1820	crrss.exe
2132	crrss.exe
344	crrss.exe
2396	crrss.exe
2128	crrss.exe
2404	crrss.exe
2372	crrss.exe
1992	crrss.exe
2484	crrss.exe
1192	crrss.exe
2436	crrss.exe
292	crrss.exe
2900	crrss.exe
1408	crrss.exe
856	crrss.exe
1504	crrss.exe
1508	crrss.exe
2968	crrss.exe
2680	crrss.exe
2892	crrss.exe
2320	crrss.exe
2548	crrss.exe
2724	crrss.exe
2696	crrss.exe
2552	crrss.exe
3028	crrss.exe
2348	crrss.exe
848	crrss.exe
1384	crrss.exe
2612	crrss.exe
572	crrss.exe
2876	crrss.exe
2972	crrss.exe
2440	crrss.exe
1908	crrss.exe
1616	crrss.exe
1700	crrss.exe
1884	crrss.exe
1872	crrss.exe
900	crrss.exe
3024	crrss.exe
1824	crrss.exe
2116	crrss.exe
984	crrss.exe
2316	crrss.exe
2060	crrss.exe
2276	crrss.exe
1696	crrss.exe

Loads dropped DLL 64 IoCs

pid	Process
2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
2896	crrss.exe
2836	crrss.exe
2836	crrss.exe
2588	crrss.exe
2588	crrss.exe
2004	crrss.exe
2004	crrss.exe
2832	crrss.exe
2832	crrss.exe
1348	crrss.exe
1348	crrss.exe
1956	crrss.exe
1956	crrss.exe
1760	crrss.exe
1760	crrss.exe
1820	crrss.exe
1820	crrss.exe
344	crrss.exe
344	crrss.exe
2128	crrss.exe
2128	crrss.exe
2372	crrss.exe
2372	crrss.exe
2484	crrss.exe
2484	crrss.exe
2436	crrss.exe
2436	crrss.exe
2900	crrss.exe
2900	crrss.exe
856	crrss.exe
856	crrss.exe
1508	crrss.exe
1508	crrss.exe
2680	crrss.exe
2680	crrss.exe
2320	crrss.exe
2320	crrss.exe
2724	crrss.exe
2724	crrss.exe
2552	crrss.exe
2552	crrss.exe
2348	crrss.exe
2348	crrss.exe
1384	crrss.exe
1384	crrss.exe
572	crrss.exe
572	crrss.exe
2972	crrss.exe
2972	crrss.exe
1908	crrss.exe
1908	crrss.exe
1700	crrss.exe
1700	crrss.exe
1872	crrss.exe
1872	crrss.exe
3024	crrss.exe
3024	crrss.exe
2116	crrss.exe
2116	crrss.exe
2316	crrss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2896 set thread context of 2836	2896	crrss.exe	31
PID 2516 set thread context of 2588	2516	crrss.exe	33
PID 2360 set thread context of 2004	2360	crrss.exe	35
PID 1844 set thread context of 2832	1844	crrss.exe	37
PID 2872 set thread context of 1348	2872	crrss.exe	39
PID 1244 set thread context of 1956	1244	crrss.exe	41
PID 2036 set thread context of 1760	2036	crrss.exe	43
PID 1968 set thread context of 1820	1968	crrss.exe	45
PID 2132 set thread context of 344	2132	crrss.exe	47
PID 2396 set thread context of 2128	2396	crrss.exe	49
PID 2404 set thread context of 2372	2404	crrss.exe	53
PID 1992 set thread context of 2484	1992	crrss.exe	55
PID 1192 set thread context of 2436	1192	crrss.exe	59
PID 292 set thread context of 2900	292	crrss.exe	61
PID 1408 set thread context of 856	1408	crrss.exe	63
PID 1504 set thread context of 1508	1504	crrss.exe	65
PID 2968 set thread context of 2680	2968	crrss.exe	67
PID 2892 set thread context of 2320	2892	crrss.exe	69
PID 2548 set thread context of 2724	2548	crrss.exe	71
PID 2696 set thread context of 2552	2696	crrss.exe	73
PID 3028 set thread context of 2348	3028	crrss.exe	75
PID 848 set thread context of 1384	848	crrss.exe	77
PID 2612 set thread context of 572	2612	crrss.exe	79
PID 2876 set thread context of 2972	2876	crrss.exe	81
PID 2440 set thread context of 1908	2440	crrss.exe	83
PID 1616 set thread context of 1700	1616	crrss.exe	85
PID 1884 set thread context of 1872	1884	crrss.exe	87
PID 900 set thread context of 3024	900	crrss.exe	89
PID 1824 set thread context of 2116	1824	crrss.exe	91
PID 984 set thread context of 2316	984	crrss.exe	93
PID 2060 set thread context of 2276	2060	crrss.exe	95
PID 1696 set thread context of 1680	1696	crrss.exe	97
PID 816 set thread context of 1444	816	crrss.exe	99
PID 868 set thread context of 916	868	crrss.exe	101
PID 2216 set thread context of 1124	2216	crrss.exe	103
PID 2088 set thread context of 2408	2088	crrss.exe	105
PID 2068 set thread context of 1180	2068	crrss.exe	107
PID 2608 set thread context of 1408	2608	crrss.exe	109
PID 1620 set thread context of 1512	1620	crrss.exe	111
PID 1548 set thread context of 2676	1548	crrss.exe	113
PID 2640 set thread context of 2528	2640	crrss.exe	115
PID 2548 set thread context of 2856	2548	crrss.exe	117
PID 2596 set thread context of 2692	2596	crrss.exe	119
PID 2472 set thread context of 2360	2472	crrss.exe	121
PID 1008 set thread context of 1380	1008	crrss.exe	123
PID 1684 set thread context of 2848	1684	crrss.exe	125
PID 2880 set thread context of 1220	2880	crrss.exe	127
PID 2272 set thread context of 1960	2272	crrss.exe	129

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-11-0x00000000003B0000-0x00000000003C5000-memory.dmp	upx
behavioral1/files/0x002e000000014733-9.dat	upx
behavioral1/memory/2748-84-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2748-207-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2748	ss.exe
Token: SeTcbPrivilege	2748	ss.exe
Token: SeChangeNotifyPrivilege	2748	ss.exe
Token: SeCreateTokenPrivilege	2748	ss.exe
Token: SeBackupPrivilege	2748	ss.exe
Token: SeRestorePrivilege	2748	ss.exe
Token: SeIncreaseQuotaPrivilege	2748	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2748	ss.exe
Token: SeImpersonatePrivilege	2748	ss.exe
Token: SeTcbPrivilege	2748	ss.exe
Token: SeChangeNotifyPrivilege	2748	ss.exe
Token: SeCreateTokenPrivilege	2748	ss.exe
Token: SeBackupPrivilege	2748	ss.exe
Token: SeRestorePrivilege	2748	ss.exe
Token: SeIncreaseQuotaPrivilege	2748	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2748	ss.exe
Token: SeImpersonatePrivilege	2748	ss.exe
Token: SeTcbPrivilege	2748	ss.exe
Token: SeChangeNotifyPrivilege	2748	ss.exe
Token: SeCreateTokenPrivilege	2748	ss.exe
Token: SeBackupPrivilege	2748	ss.exe
Token: SeRestorePrivilege	2748	ss.exe
Token: SeIncreaseQuotaPrivilege	2748	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2748	ss.exe
Token: SeImpersonatePrivilege	2748	ss.exe
Token: SeTcbPrivilege	2748	ss.exe
Token: SeChangeNotifyPrivilege	2748	ss.exe
Token: SeCreateTokenPrivilege	2748	ss.exe
Token: SeBackupPrivilege	2748	ss.exe
Token: SeRestorePrivilege	2748	ss.exe
Token: SeIncreaseQuotaPrivilege	2748	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2748	ss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2076 wrote to memory of 2732	2076	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	28
PID 2732 wrote to memory of 2748	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	29
PID 2732 wrote to memory of 2748	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	29
PID 2732 wrote to memory of 2748	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	29
PID 2732 wrote to memory of 2748	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	29
PID 2732 wrote to memory of 2896	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	30
PID 2732 wrote to memory of 2896	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	30
PID 2732 wrote to memory of 2896	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	30
PID 2732 wrote to memory of 2896	2732	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	30
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2896 wrote to memory of 2836	2896	crrss.exe	31
PID 2836 wrote to memory of 2516	2836	crrss.exe	32
PID 2836 wrote to memory of 2516	2836	crrss.exe	32
PID 2836 wrote to memory of 2516	2836	crrss.exe	32
PID 2836 wrote to memory of 2516	2836	crrss.exe	32
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2516 wrote to memory of 2588	2516	crrss.exe	33
PID 2588 wrote to memory of 2360	2588	crrss.exe	34
PID 2588 wrote to memory of 2360	2588	crrss.exe	34
PID 2588 wrote to memory of 2360	2588	crrss.exe	34
PID 2588 wrote to memory of 2360	2588	crrss.exe	34
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2360 wrote to memory of 2004	2360	crrss.exe	35
PID 2004 wrote to memory of 1844	2004	crrss.exe	36
PID 2004 wrote to memory of 1844	2004	crrss.exe	36
PID 2004 wrote to memory of 1844	2004	crrss.exe	36
PID 2004 wrote to memory of 1844	2004	crrss.exe	36
PID 1844 wrote to memory of 2832	1844	crrss.exe	37
PID 1844 wrote to memory of 2832	1844	crrss.exe	37
PID 1844 wrote to memory of 2832	1844	crrss.exe	37
PID 1844 wrote to memory of 2832	1844	crrss.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\ss.exe
    "C:\Users\Admin\ss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\oid.bat" "C:\Users\Admin\ss.exe" "
      4⤵
      PID:652
- - C:\Windows\SysWOW64\crrss.exe
    "C:\Windows\system32\crrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\crrss.exe
      "C:\Windows\system32\crrss.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2036
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2404
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1992
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1192
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:292
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1408
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1504
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2968
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2892
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:848
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2876
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2440
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:2088
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        74⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1548
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2472
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        94⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        97⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        98⤵
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oid.bat

Filesize
71B

MD5
e6b031b9b7d40fa332ebc6f38b2f9f64

SHA1
d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f

SHA256
66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b

SHA512
7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948

Download Submit
C:\Users\Admin\uidsave.dat

Filesize
36B

MD5
54d8da2d3ca378a0e60e5115ea079d27

SHA1
79c68bd472d547d1a00ea88e0f569122b459668b

SHA256
ab1af24060b503e6c97215c4684d1e67b39751be046b85b8864f259c2cdd6d23

SHA512
eea15fb93e1fe2a7fe1bf3ecd390df9cb3986bddba234f5472bdf86ff48f434863c84460b73c7729185aafd8c87cfcbf2407ea82329ae9c58889a55c666b2d29

Download Submit
C:\Windows\SysWOW64\crrss.exe

Filesize
44KB

MD5
30524e1ace761f2a5666e7165f664f21

SHA1
20f9021c1e7dc473c4e57c420578efc313a474f4

SHA256
a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8

SHA512
013f19dc6d8ab8f1f200e8db1b0c556a97e16a024306fa7b213d5b0518084991859853c4bb445074dcafd83ee284cf426867683761f8f5c47576dbccac71293f

Download Submit
\Users\Admin\ss.exe

Filesize
24KB

MD5
ef0d07322d925aa40236cd91f7a8665f

SHA1
637bef7e53877200dd7a2d4427dad355f32c67e0

SHA256
a1cb68de022f8a617050db06418a60f6fee8cd0e6e4a0612474464d7ec337131

SHA512
7baec045c223c4b6c126fa220efa99c5bbe17274ccd6a9bb5ba1bb952fbe209f96297e2bda9c87ed6c02f38184d7f38ea5a4535bbbdb749803e165634df02ab4

Download Submit
memory/1348-104-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1760-133-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-118-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2588-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-11-0x00000000003B0000-0x00000000003C5000-memory.dmp

Filesize
84KB

Download
memory/2732-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-21-0x00000000003B0000-0x00000000003C5000-memory.dmp

Filesize
84KB

Download
memory/2732-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-84-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2748-207-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2832-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2836-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download