orcus | b0becdf1d3ad227e48899ad25cbdc47d9b9c5bcf7f88af92822197a769380db5

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
Size

2.7MB
MD5

1b216f695dfb650511fe4022727f1388
SHA1

0f14d33fa6932bd073eba159689bc0e6c93d09be
SHA256

b0becdf1d3ad227e48899ad25cbdc47d9b9c5bcf7f88af92822197a769380db5
SHA512

03d0bb82771bb12e3e0c1f544153b93003d57ed8037a80b1f91369511f99f7e96408d345821051a655c98cb8c717685ba503390694969cccf1e21369553a3048
SSDEEP

49152:pK+ohlRNJSkTmNN31MwQn7y6mbL08WvcSr:czHIkTmNdY7y/bL7le

Score

10^/10

orcus desk-100618 persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral1/memory/1776-70-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/1776-75-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/1776-77-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/1776-72-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/1776-76-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\em3drive.exe.lnk	ManiPool8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\em3drive.exe.lnk	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
964	ManiPool8.exe
2216	ManiPool8.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	cmd.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 964 set thread context of 2216	964	ManiPool8.exe	43
PID 2216 set thread context of 1776	2216	ManiPool8.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2340	timeout.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
964	ManiPool8.exe
2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
964	ManiPool8.exe
964	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe
2216	ManiPool8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	regasm.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
Token: 33	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
Token: SeDebugPrivilege	964	ManiPool8.exe
Token: 33	964	ManiPool8.exe
Token: SeIncBasePriorityPrivilege	964	ManiPool8.exe
Token: SeDebugPrivilege	2216	ManiPool8.exe
Token: SeDebugPrivilege	1776	regasm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1776	regasm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2536	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2536	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2536	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	30
PID 2320 wrote to memory of 2536	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2492	2536	cmd.exe	32
PID 2536 wrote to memory of 2492	2536	cmd.exe	32
PID 2536 wrote to memory of 2492	2536	cmd.exe	32
PID 2536 wrote to memory of 2492	2536	cmd.exe	32
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 2232	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	33
PID 2320 wrote to memory of 572	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	34
PID 2320 wrote to memory of 572	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	34
PID 2320 wrote to memory of 572	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	34
PID 2320 wrote to memory of 572	2320	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	34
PID 572 wrote to memory of 2340	572	cmd.exe	36
PID 572 wrote to memory of 2340	572	cmd.exe	36
PID 572 wrote to memory of 2340	572	cmd.exe	36
PID 572 wrote to memory of 2340	572	cmd.exe	36
PID 2232 wrote to memory of 2328	2232	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	37
PID 2232 wrote to memory of 2328	2232	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	37
PID 2232 wrote to memory of 2328	2232	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	37
PID 2232 wrote to memory of 2328	2232	1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe	37
PID 2328 wrote to memory of 964	2328	cmd.exe	39
PID 2328 wrote to memory of 964	2328	cmd.exe	39
PID 2328 wrote to memory of 964	2328	cmd.exe	39
PID 2328 wrote to memory of 964	2328	cmd.exe	39
PID 964 wrote to memory of 1812	964	ManiPool8.exe	40
PID 964 wrote to memory of 1812	964	ManiPool8.exe	40
PID 964 wrote to memory of 1812	964	ManiPool8.exe	40
PID 964 wrote to memory of 1812	964	ManiPool8.exe	40
PID 1812 wrote to memory of 2208	1812	cmd.exe	42
PID 1812 wrote to memory of 2208	1812	cmd.exe	42
PID 1812 wrote to memory of 2208	1812	cmd.exe	42
PID 1812 wrote to memory of 2208	1812	cmd.exe	42
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 964 wrote to memory of 2216	964	ManiPool8.exe	43
PID 2216 wrote to memory of 1724	2216	ManiPool8.exe	44
PID 2216 wrote to memory of 1724	2216	ManiPool8.exe	44
PID 2216 wrote to memory of 1724	2216	ManiPool8.exe	44
PID 2216 wrote to memory of 1724	2216	ManiPool8.exe	44
PID 1724 wrote to memory of 1552	1724	cmd.exe	46
PID 1724 wrote to memory of 1552	1724	cmd.exe	46
PID 1724 wrote to memory of 1552	1724	cmd.exe	46
PID 1724 wrote to memory of 1552	1724	cmd.exe	46
PID 2216 wrote to memory of 1776	2216	ManiPool8.exe	47
PID 2216 wrote to memory of 1776	2216	ManiPool8.exe	47
PID 2216 wrote to memory of 1776	2216	ManiPool8.exe	47
PID 2216 wrote to memory of 1776	2216	ManiPool8.exe	47
PID 2216 wrote to memory of 1776	2216	ManiPool8.exe	47
PID 2216 wrote to memory of 1776	2216	ManiPool8.exe	47

C:\Users\Admin\AppData\Local\Temp\1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe.lnk" /f
    3⤵
    PID:2492
- C:\Users\Admin\AppData\Local\Temp\1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    "cmd"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe
      "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe"
        5⤵
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe.lnk" /f
        6⤵
        
        PID:2208
    - - C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe
        
        "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1552
      - C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
        
        "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\61g249lb.cmdline"
        7⤵
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA92C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA91B.tmp"
        8⤵
        
        PID:1144
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:684
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:984
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2836
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1328
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1416
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1012
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2352
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2376
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1052
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:960
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:852
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 180
    3⤵
    - Delays execution with timeout.exe
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61g249lb.dll

Filesize
76KB

MD5
64e45aa905008a7d2458922efa173f7e

SHA1
aef95582656af88e8679416f71d770ab4ba4b4a5

SHA256
2e05d6ed1552548732cc3ad98b4e30662a9514406ec485753900b1bde020f0d8

SHA512
f00fe7616336d7a68063fbdaf9651baf56d84843d758055e87a6f4beef595b74ac3d68f58f513048a080d60b6970896df437029580d6324484f12594410b111d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt

Filesize
72B

MD5
26ac1207f6db39ca0d1ad65d84d31486

SHA1
99fb6eab1f00e26aa4dbaea10502f6bcaa2c9a99

SHA256
fbe9af6dddb9c872e6fce6c643519f3cdf3719516e8c388a3524a6d121a835fd

SHA512
28db2596fc93344c701a3b9365117de130d29030372ef3d79501a930e13f0c056ec69061a7055d8ec633697f17baae1534c99a225514d73ee780ffd8bcd33633

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA92C.tmp

Filesize
1KB

MD5
e2bc23fde33adc32f1eca424fa665349

SHA1
70f7a855c7b227afb65d8389a5e01101c1b1c0f6

SHA256
306939de029af7ce2fbafb9f77fdbf50c11a5f7dde2f96d17ea0c7a4f205e7c4

SHA512
80defb677e168cfba5c9ce49dc772c3df8d5565af968b0bfb1e57f6de31eaa95d99ab33619753f553e11ae7fba10e5296259fbdf63642ea31422027b582ae4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\em3drive.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe

Filesize
2.7MB

MD5
1b216f695dfb650511fe4022727f1388

SHA1
0f14d33fa6932bd073eba159689bc0e6c93d09be

SHA256
b0becdf1d3ad227e48899ad25cbdc47d9b9c5bcf7f88af92822197a769380db5

SHA512
03d0bb82771bb12e3e0c1f544153b93003d57ed8037a80b1f91369511f99f7e96408d345821051a655c98cb8c717685ba503390694969cccf1e21369553a3048

Download Submit
C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe.bat

Filesize
214B

MD5
851b1b9160192b3b9a0ca6fdb8537749

SHA1
ea2d002ec9455f4237002296da0b095050ef3662

SHA256
be83064b23062b414aaeb89f27a2adcd513c87a4b39047d578b953bf5e98a947

SHA512
4aa3e6ece740df50b2122c1693924909ec43739fe533d358a52a6ab3d3d35493ff272469ca055205acb12701e580c1b948f02f7c74cee9ee85953ccebf4e3ac2

Download Submit
C:\Users\Admin\AppData\Roaming\FolderNdrive\em3drive.exe.lnk

Filesize
780B

MD5
75183afec4b31e51b133e2dad5e03f13

SHA1
4fa6ed5b86a0972b39aa49f6eb16d8f31fc49648

SHA256
1f7d335168bc714b66d737efc9183fe4f50e414ae3ea30f4c6140487912889f3

SHA512
ba951f5d385f97f6300fce8c7f3be7fd61e84e5194d52f71a32f46444e50251f1d4bf24f22da671dc7b0fe26f0efba1412972629c4f9e9adca49384ed6659614

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\em3drive.exe.lnk

Filesize
832B

MD5
0ad34bdf48535b3678e43fdf93b8af31

SHA1
d8136a138da057baa8c15e6e562aed7f0949c770

SHA256
d0292c5a7fa81cb5457bcf25ae6e2c44aac5935232dea91ab6d81b85241722b0

SHA512
57a3bba92c24a66872cf27376227e4d470f71fbebc776948cabad3dfabdd067edb4d75c3e54df276235b40d8925e4a171867817510628d1507ba9aa25dd89fe7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\61g249lb.0.cs

Filesize
208KB

MD5
7731350dfdbb2a9a3e19f1238d60ff39

SHA1
1cc66d796816d38abaf0ee5d7332b51cd4fd4649

SHA256
dbd922d1d7fa05764a12fbf8814b3adeb2e693711cbd40656e1e807e7c64c463

SHA512
1a3960897403837fda298f6eb8d86e8a7127bad143ba348699f17521ca24bb672a9424a4c4986683d96ad9718f83bd0271aa5f554f6aec44f623ca84e2979c10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\61g249lb.cmdline

Filesize
347B

MD5
01188ab9fb2e715ce68db2f5a6a23c65

SHA1
3674f38d44bfd11d3437aac4b4f56aeb44a9ee06

SHA256
cead5d39237f6fe46f19ad2b2735e11aad3a5aeb0f855979c152772d17f890ad

SHA512
2f9e8d3925b2ce0112ae762b00af49f5e8b93776e7afd25a2a0ad18443f593c4e75a00528e71642b272a52a38a697382b8cb5e540f2ef9bd34ff13e86f9977c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA91B.tmp

Filesize
676B

MD5
d4c2325da807ac42dd22a842bec29356

SHA1
07bd99d773ce4baf84e327c8c3be9a46e9924a0a

SHA256
507b8cf6ae89e9ef1db44351b162512304ffb10cf3507f91ebf37de0f8d54e6f

SHA512
df506279559e75307d16cc6fe08474558299528448c36d32685c217ad918269f9323dc16157207be9233f5efa897286627459e45769cd3b8c18c7ec2aff683ad

Download Submit
memory/1776-68-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1776-77-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1776-75-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1776-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1776-70-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1776-72-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1776-66-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1776-76-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2216-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-11-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2232-13-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2232-39-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-23-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2232-24-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-25-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-26-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-15-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2232-16-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2232-21-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2232-19-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2320-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

Filesize
4KB

Download
memory/2320-40-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-3-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download