pony | a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
Size

44KB
MD5

30524e1ace761f2a5666e7165f664f21
SHA1

20f9021c1e7dc473c4e57c420578efc313a474f4
SHA256

a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8
SHA512

013f19dc6d8ab8f1f200e8db1b0c556a97e16a024306fa7b213d5b0518084991859853c4bb445074dcafd83ee284cf426867683761f8f5c47576dbccac71293f
SSDEEP

768:mYgPPd1WarignZzCcncubMDLMfuCb4X/e3heDPdJcEJUkzhGly0BTeWuVJVLwA2x:yHd1/ndjnEDLMmCb4m3herEOUkzh8eZK

Score

10^/10

pony credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://web-notification.in/ifr/z.php?ftp=1

http://web-politician.in/ifr/z.php?ftp=1

http://web-technology.in/ifr/z.php?ftp=1

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ss.exe

Executes dropped EXE 64 IoCs

pid	Process
2952	ss.exe
812	crrss.exe
3896	crrss.exe
4268	crrss.exe
4136	crrss.exe
220	crrss.exe
1380	crrss.exe
3832	crrss.exe
2132	crrss.exe
4896	crrss.exe
4304	crrss.exe
4488	crrss.exe
3084	crrss.exe
872	crrss.exe
1496	crrss.exe
3076	crrss.exe
1696	crrss.exe
112	crrss.exe
4688	crrss.exe
2796	crrss.exe
4656	crrss.exe
4568	crrss.exe
2776	crrss.exe
1148	crrss.exe
4836	crrss.exe
3140	crrss.exe
3672	crrss.exe
740	crrss.exe
4408	crrss.exe
3088	crrss.exe
1436	crrss.exe
548	crrss.exe
2128	crrss.exe
344	crrss.exe
1140	crrss.exe
2652	crrss.exe
640	crrss.exe
4884	crrss.exe
3124	crrss.exe
3504	crrss.exe
1444	crrss.exe
1252	crrss.exe
3208	crrss.exe
3552	crrss.exe
2832	crrss.exe
2844	crrss.exe
4904	crrss.exe
1188	crrss.exe
4588	crrss.exe
4528	crrss.exe
1620	crrss.exe
2068	crrss.exe
396	crrss.exe
2792	crrss.exe
4816	crrss.exe
2628	crrss.exe
2316	crrss.exe
4348	crrss.exe
4180	crrss.exe
2644	crrss.exe
4436	crrss.exe
1504	crrss.exe
332	crrss.exe
3400	crrss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe
File opened for modification	C:\Windows\SysWOW64\crrss.exe	crrss.exe

Suspicious use of SetThreadContext 48 IoCs

description	pid	Process	procid_target
PID 3232 set thread context of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 812 set thread context of 3896	812	crrss.exe	85
PID 4268 set thread context of 4136	4268	crrss.exe	91
PID 220 set thread context of 1380	220	crrss.exe	94
PID 3832 set thread context of 2132	3832	crrss.exe	98
PID 4896 set thread context of 4304	4896	crrss.exe	100
PID 4488 set thread context of 3084	4488	crrss.exe	102
PID 872 set thread context of 1496	872	crrss.exe	104
PID 3076 set thread context of 1696	3076	crrss.exe	106
PID 112 set thread context of 4688	112	crrss.exe	108
PID 2796 set thread context of 4656	2796	crrss.exe	111
PID 4568 set thread context of 2776	4568	crrss.exe	113
PID 1148 set thread context of 4836	1148	crrss.exe	115
PID 3140 set thread context of 3672	3140	crrss.exe	119
PID 740 set thread context of 4408	740	crrss.exe	121
PID 3088 set thread context of 1436	3088	crrss.exe	124
PID 548 set thread context of 2128	548	crrss.exe	126
PID 344 set thread context of 1140	344	crrss.exe	128
PID 2652 set thread context of 640	2652	crrss.exe	130
PID 4884 set thread context of 3124	4884	crrss.exe	132
PID 3504 set thread context of 1444	3504	crrss.exe	134
PID 1252 set thread context of 3208	1252	crrss.exe	136
PID 3552 set thread context of 2832	3552	crrss.exe	138
PID 2844 set thread context of 4904	2844	crrss.exe	140
PID 1188 set thread context of 4588	1188	crrss.exe	142
PID 4528 set thread context of 1620	4528	crrss.exe	144
PID 2068 set thread context of 396	2068	crrss.exe	146
PID 2792 set thread context of 4816	2792	crrss.exe	148
PID 2628 set thread context of 2316	2628	crrss.exe	150
PID 4348 set thread context of 4180	4348	crrss.exe	152
PID 2644 set thread context of 4436	2644	crrss.exe	154
PID 1504 set thread context of 332	1504	crrss.exe	156
PID 3400 set thread context of 5028	3400	crrss.exe	158
PID 5056 set thread context of 3832	5056	crrss.exe	160
PID 1908 set thread context of 3444	1908	crrss.exe	162
PID 3524 set thread context of 3384	3524	crrss.exe	164
PID 1476 set thread context of 1828	1476	crrss.exe	166
PID 3584 set thread context of 3504	3584	crrss.exe	168
PID 4604 set thread context of 5024	4604	crrss.exe	170
PID 2444 set thread context of 2724	2444	crrss.exe	172
PID 3348 set thread context of 2216	3348	crrss.exe	174
PID 2012 set thread context of 4432	2012	crrss.exe	176
PID 3688 set thread context of 3152	3688	crrss.exe	178
PID 4564 set thread context of 3232	4564	crrss.exe	180
PID 1212 set thread context of 836	1212	crrss.exe	182
PID 840 set thread context of 1160	840	crrss.exe	184
PID 3700 set thread context of 2952	3700	crrss.exe	186
PID 1812 set thread context of 4768	1812	crrss.exe	188

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b92-11.dat	upx
behavioral2/memory/2952-12-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2952-67-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2952-166-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crrss.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2952	ss.exe
Token: SeTcbPrivilege	2952	ss.exe
Token: SeChangeNotifyPrivilege	2952	ss.exe
Token: SeCreateTokenPrivilege	2952	ss.exe
Token: SeBackupPrivilege	2952	ss.exe
Token: SeRestorePrivilege	2952	ss.exe
Token: SeIncreaseQuotaPrivilege	2952	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2952	ss.exe
Token: SeImpersonatePrivilege	2952	ss.exe
Token: SeTcbPrivilege	2952	ss.exe
Token: SeChangeNotifyPrivilege	2952	ss.exe
Token: SeCreateTokenPrivilege	2952	ss.exe
Token: SeBackupPrivilege	2952	ss.exe
Token: SeRestorePrivilege	2952	ss.exe
Token: SeIncreaseQuotaPrivilege	2952	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2952	ss.exe
Token: SeImpersonatePrivilege	2952	ss.exe
Token: SeTcbPrivilege	2952	ss.exe
Token: SeChangeNotifyPrivilege	2952	ss.exe
Token: SeCreateTokenPrivilege	2952	ss.exe
Token: SeBackupPrivilege	2952	ss.exe
Token: SeRestorePrivilege	2952	ss.exe
Token: SeIncreaseQuotaPrivilege	2952	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2952	ss.exe
Token: SeImpersonatePrivilege	2952	ss.exe
Token: SeTcbPrivilege	2952	ss.exe
Token: SeChangeNotifyPrivilege	2952	ss.exe
Token: SeCreateTokenPrivilege	2952	ss.exe
Token: SeBackupPrivilege	2952	ss.exe
Token: SeRestorePrivilege	2952	ss.exe
Token: SeIncreaseQuotaPrivilege	2952	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2952	ss.exe
Token: SeImpersonatePrivilege	2952	ss.exe
Token: SeTcbPrivilege	2952	ss.exe
Token: SeChangeNotifyPrivilege	2952	ss.exe
Token: SeCreateTokenPrivilege	2952	ss.exe
Token: SeBackupPrivilege	2952	ss.exe
Token: SeRestorePrivilege	2952	ss.exe
Token: SeIncreaseQuotaPrivilege	2952	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2952	ss.exe
Token: SeImpersonatePrivilege	2952	ss.exe
Token: SeTcbPrivilege	2952	ss.exe
Token: SeChangeNotifyPrivilege	2952	ss.exe
Token: SeCreateTokenPrivilege	2952	ss.exe
Token: SeBackupPrivilege	2952	ss.exe
Token: SeRestorePrivilege	2952	ss.exe
Token: SeIncreaseQuotaPrivilege	2952	ss.exe
Token: SeAssignPrimaryTokenPrivilege	2952	ss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 3232 wrote to memory of 5088	3232	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	82
PID 5088 wrote to memory of 2952	5088	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	83
PID 5088 wrote to memory of 2952	5088	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	83
PID 5088 wrote to memory of 2952	5088	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	83
PID 5088 wrote to memory of 812	5088	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	84
PID 5088 wrote to memory of 812	5088	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	84
PID 5088 wrote to memory of 812	5088	JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe	84
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 812 wrote to memory of 3896	812	crrss.exe	85
PID 3896 wrote to memory of 4268	3896	crrss.exe	90
PID 3896 wrote to memory of 4268	3896	crrss.exe	90
PID 3896 wrote to memory of 4268	3896	crrss.exe	90
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4268 wrote to memory of 4136	4268	crrss.exe	91
PID 4136 wrote to memory of 220	4136	crrss.exe	93
PID 4136 wrote to memory of 220	4136	crrss.exe	93
PID 4136 wrote to memory of 220	4136	crrss.exe	93
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 220 wrote to memory of 1380	220	crrss.exe	94
PID 1380 wrote to memory of 3832	1380	crrss.exe	97
PID 1380 wrote to memory of 3832	1380	crrss.exe	97
PID 1380 wrote to memory of 3832	1380	crrss.exe	97
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 3832 wrote to memory of 2132	3832	crrss.exe	98
PID 2132 wrote to memory of 4896	2132	crrss.exe	99
PID 2132 wrote to memory of 4896	2132	crrss.exe	99
PID 2132 wrote to memory of 4896	2132	crrss.exe	99
PID 4896 wrote to memory of 4304	4896	crrss.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30524e1ace761f2a5666e7165f664f21.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\ss.exe
    "C:\Users\Admin\ss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oid.bat" "C:\Users\Admin\ss.exe" "
      4⤵
      PID:3224
- - C:\Windows\SysWOW64\crrss.exe
    "C:\Windows\system32\crrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\crrss.exe
      "C:\Windows\system32\crrss.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4488
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:112
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        22⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1148
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3140
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:548
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:344
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4884
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1252
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3552
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1188
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4528
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2644
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3400
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        68⤵
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1908
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:4604
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:2444
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        84⤵
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1212
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\crrss.exe
        
        "C:\Windows\system32\crrss.exe"
        96⤵
        
        PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oid.bat

Filesize
71B

MD5
e6b031b9b7d40fa332ebc6f38b2f9f64

SHA1
d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f

SHA256
66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b

SHA512
7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948

Download Submit
C:\Users\Admin\ss.exe

Filesize
24KB

MD5
ef0d07322d925aa40236cd91f7a8665f

SHA1
637bef7e53877200dd7a2d4427dad355f32c67e0

SHA256
a1cb68de022f8a617050db06418a60f6fee8cd0e6e4a0612474464d7ec337131

SHA512
7baec045c223c4b6c126fa220efa99c5bbe17274ccd6a9bb5ba1bb952fbe209f96297e2bda9c87ed6c02f38184d7f38ea5a4535bbbdb749803e165634df02ab4

Download Submit
C:\Users\Admin\uidsave.dat

Filesize
36B

MD5
209af48707a737a4948d60f50a069a6d

SHA1
d265238deff2fbfe2e569761fe6049ec8135413a

SHA256
36b100dd5cf3afbcc84e647a4445ad7341b458f72e579d5e55dd368beadcf264

SHA512
f11c670c0e9684f35a3834181104269bfac9a7bdb037817d2ebf67b7806d151c24c59605a0260dd87b0345fbaaf2f23e6c84d17b8b2345ddb16e47f71047927f

Download Submit
C:\Windows\SysWOW64\crrss.exe

Filesize
44KB

MD5
30524e1ace761f2a5666e7165f664f21

SHA1
20f9021c1e7dc473c4e57c420578efc313a474f4

SHA256
a4e446c61b053c273254defe7101056a8627422dd62b123c464424599bb91dd8

SHA512
013f19dc6d8ab8f1f200e8db1b0c556a97e16a024306fa7b213d5b0518084991859853c4bb445074dcafd83ee284cf426867683761f8f5c47576dbccac71293f

Download Submit
memory/1380-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1496-108-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2132-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2952-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2952-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2952-166-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3084-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3896-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3896-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4136-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4136-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4304-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5088-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5088-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5088-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5088-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5088-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5088-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download