orcus | 15a56267ca5e39c679432257291333d4878e70650d419dca6c90b942377b043f

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Size

1.6MB
MD5

f8d622954cef4882bc8a0a77ad399604
SHA1

0e904cebd41ae2aaa1947aeaf431449b319e07f6
SHA256

15a56267ca5e39c679432257291333d4878e70650d419dca6c90b942377b043f
SHA512

c4f9eeb7d9c49e742785b4a1f04ab677a9086d898b3c725bf9d32cebf4d5718a205b5e13f7bc64510f6169fef787636c49c45e3370f9ff29959514f867e893a5
SSDEEP

49152:RmizTCwwGX9AvRoaXp2kEfhHsXrAolZHTJx:Rvz7/+RzpMhz6Htx

Score

10^/10

orcus desk-100618 defense_evasion discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/796-84-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/796-83-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/796-82-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/796-79-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/796-77-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Drops startup file 2 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34Yearsname.exe.lnk	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34Yearsname.exe.lnk	ManiPool8.exe

Executes dropped EXE 2 IoCs

Processes:

ManiPool8.exeManiPool8.exe

pid process

2652 ManiPool8.exe
2952 ManiPool8.exe

pid	process
2652	ManiPool8.exe
2952	ManiPool8.exe

Loads dropped DLL 6 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.execmd.exeManiPool8.exe

pid	process
2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2656	cmd.exe
2652	ManiPool8.exe
2652	ManiPool8.exe
2652	ManiPool8.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exeManiPool8.exe

description	pid	process	target process
PID 2528 set thread context of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2652 set thread context of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2952 set thread context of 796	2952	ManiPool8.exe	regasm.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.execmd.exereg.execmd.exereg.exereg.execmd.exereg.exereg.execmd.execmd.execmd.exereg.exereg.exereg.exereg.exereg.exereg.execmd.execmd.execmd.execmd.execmd.execmd.exereg.execmd.execmd.exereg.exereg.execsc.exereg.exereg.exereg.execvtres.execmd.execmd.exereg.exereg.execmd.exeregasm.execmd.execmd.execmd.execmd.exereg.execmd.execmd.execmd.exereg.execmd.exetimeout.execmd.exereg.execmd.execmd.execmd.exereg.exeManiPool8.exereg.execmd.execmd.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManiPool8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2904 timeout.exe

pid	process
2904	timeout.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exeManiPool8.exe

pid	process
2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2652	ManiPool8.exe
2652	ManiPool8.exe
2652	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe
2952	ManiPool8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regasm.exe

pid process

796 regasm.exe

pid	process
796	regasm.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exef8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exeManiPool8.exeregasm.exe

description	pid	process
Token: SeDebugPrivilege	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: 33	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: SeDebugPrivilege	2996	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	ManiPool8.exe
Token: 33	2652	ManiPool8.exe
Token: SeIncBasePriorityPrivilege	2652	ManiPool8.exe
Token: SeDebugPrivilege	2952	ManiPool8.exe
Token: SeDebugPrivilege	796	regasm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

regasm.exe

pid process

796 regasm.exe

pid	process
796	regasm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.execmd.execmd.exef8d622954cef4882bc8a0a77ad399604_JaffaCakes118.execmd.exeManiPool8.execmd.exeManiPool8.execmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 972	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 972	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 972	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 972	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 972 wrote to memory of 2388	972	cmd.exe	reg.exe
PID 972 wrote to memory of 2388	972	cmd.exe	reg.exe
PID 972 wrote to memory of 2388	972	cmd.exe	reg.exe
PID 972 wrote to memory of 2388	972	cmd.exe	reg.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2996	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2528 wrote to memory of 2820	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 2820	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 2820	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 2820	2528	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2820 wrote to memory of 2904	2820	cmd.exe	timeout.exe
PID 2820 wrote to memory of 2904	2820	cmd.exe	timeout.exe
PID 2820 wrote to memory of 2904	2820	cmd.exe	timeout.exe
PID 2820 wrote to memory of 2904	2820	cmd.exe	timeout.exe
PID 2996 wrote to memory of 2656	2996	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2656	2996	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2656	2996	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2656	2996	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2656 wrote to memory of 2652	2656	cmd.exe	ManiPool8.exe
PID 2652 wrote to memory of 2196	2652	ManiPool8.exe	cmd.exe
PID 2652 wrote to memory of 2196	2652	ManiPool8.exe	cmd.exe
PID 2652 wrote to memory of 2196	2652	ManiPool8.exe	cmd.exe
PID 2652 wrote to memory of 2196	2652	ManiPool8.exe	cmd.exe
PID 2196 wrote to memory of 1064	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1064	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1064	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1064	2196	cmd.exe	reg.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2652 wrote to memory of 2952	2652	ManiPool8.exe	ManiPool8.exe
PID 2952 wrote to memory of 616	2952	ManiPool8.exe	cmd.exe
PID 2952 wrote to memory of 616	2952	ManiPool8.exe	cmd.exe
PID 2952 wrote to memory of 616	2952	ManiPool8.exe	cmd.exe
PID 2952 wrote to memory of 616	2952	ManiPool8.exe	cmd.exe
PID 616 wrote to memory of 1592	616	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.lnk" /f
    3⤵
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    "cmd"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe
      "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe"
        5⤵
        Subvert Trust Controls: Mark-of-the-Web Bypass
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.lnk" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
    - - C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe
        
        "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1592
      - C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
        
        "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jrxyafak.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE763.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE762.tmp"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:316
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:936
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:324
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2336
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1508
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2576
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1400
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3008
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1176
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:316
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:444
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2604
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1240
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:736
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2060
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2352
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:848
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        
        PID:2536
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2404
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1812
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEB0C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt

Filesize
72B

MD5
26ac1207f6db39ca0d1ad65d84d31486

SHA1
99fb6eab1f00e26aa4dbaea10502f6bcaa2c9a99

SHA256
fbe9af6dddb9c872e6fce6c643519f3cdf3719516e8c388a3524a6d121a835fd

SHA512
28db2596fc93344c701a3b9365117de130d29030372ef3d79501a930e13f0c056ec69061a7055d8ec633697f17baae1534c99a225514d73ee780ffd8bcd33633

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE763.tmp

Filesize
1KB

MD5
1ae31113eaac7fb6b2f3d7720ea6e0ce

SHA1
364899e77a2f022df05047154cf9350cae743e6a

SHA256
df6a41d50163e5e4a8634dac2e2bf361989f1067c6f77dc6e0b32ba0e6e6587f

SHA512
5b01cc0f06da72f776e33da435922b6f73fde88497a5f3a1c6f46971c67c3a25d02576e91c4f51e7fb33d1feebafc9babdb9c58cfb323df14b8d4c839e26d90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrxyafak.dll

Filesize
76KB

MD5
c437156822ae953267abd9a611af5987

SHA1
a550cb6af9c837c44d4bb8b7391e7359d55107c7

SHA256
fda7047c4224a3e91aaffad3bc04b4757b3369062242ea7a932c002aee5c0406

SHA512
293d9791795ac6c68355d702abff54aab92886be922ca15e1538e3f6a86ba119aa0e5ddab12196390929e2eea4781f8f3de1a691d955fccb3f195cfb37d3440f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34Yearsname.exe.lnk

Filesize
842B

MD5
1000357045ba7ad0f9fb341aae1a9684

SHA1
2c84869c2d97b24fcfbf255a1b4031b471461358

SHA256
c450a30efca317f35104e85e3b1c61a7c9ad6e26feb7fdbb0e1ee8b988c0f497

SHA512
9e903409c0cb33edf73640810328feaa1d940e974154c20078b06cc11c7b98f58d11f766a9d444489cc53e5ef737e29a453f1ce614a90d635ce4a634001f074d

Download Submit
C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe

Filesize
1.6MB

MD5
f8d622954cef4882bc8a0a77ad399604

SHA1
0e904cebd41ae2aaa1947aeaf431449b319e07f6

SHA256
15a56267ca5e39c679432257291333d4878e70650d419dca6c90b942377b043f

SHA512
c4f9eeb7d9c49e742785b4a1f04ab677a9086d898b3c725bf9d32cebf4d5718a205b5e13f7bc64510f6169fef787636c49c45e3370f9ff29959514f867e893a5

Download Submit
C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.bat

Filesize
212B

MD5
acd537d8e26cfc67f4f36a6091ab4531

SHA1
23196ed840f2faeb03c7d3a5fee94836b52d3ebf

SHA256
1174256ce7f8ec6745f41bf57aa5a4997e60d85b2ca784672ffeb365f29904b5

SHA512
41b3f296f0bffc069c156ac84e8e0d2db3cdf2f5b7370fdc1d3d9b2a083701d269f2805fbbc9ef6b05f40ea37ab0f18a7b4bec06b55642ec873c353e1f7e47fd

Download Submit
C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.lnk

Filesize
874B

MD5
dea6f5f6fc99b7834d6e276f6d198961

SHA1
a276d17644e671db403252b3d3d78e25d13bb80b

SHA256
1eca6b05e7841c7f0cf769922f29c818e84955e62762c33f56ea87cd3cdce649

SHA512
3d40a17eccf52593f9d29c6c20735985d52113f71de5998b80886e2938ac6bd86274923e6967c509595ea00a0b7bafe9a24cedfa365ba7b663c64f64adcab04f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE762.tmp

Filesize
676B

MD5
b1022954b05cda4acad7a2eb50b03ad5

SHA1
3eaec3ecdbe27abc0d7ce1d86b5e4c2420c640a5

SHA256
f89200921624db78d5b28103c0d02c43cb5a95973d03fba5dc7581348007b504

SHA512
b1026427f4d1d9a890a9accd21fad1e19f9e209f174cc6f5016d11b9984816e80833eb5e93b5d9c81deace53fda6120d1e533e88286ac356f2bf672987bb27d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jrxyafak.0.cs

Filesize
208KB

MD5
cea19e599e7a887502a4824be1f2cfab

SHA1
6b35658a13220d801f9863fad81cff4794dab775

SHA256
3aafbf96ddcf61b1e9b661d0b8a2db7080d33a4f44143ef21e8886a2f9517d18

SHA512
061b0325aa230c45dd5b716401f6ae1f36dc65d36ee9a04a48e3fff6ba2dd552033b4b65d354ced396e6547aea8de468209b1dd2d183807e823142bf8944e1ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jrxyafak.cmdline

Filesize
347B

MD5
71f4e1993a938bf3d8bce094d08c15cc

SHA1
cb02c951e1fe01765794f073bc39bcb043fd2903

SHA256
71bcfa7d5dc0262ca6399db2f7b10a4d86fc7fa73b24c3fa059d80388ab4634e

SHA512
fe7387f222ad6969cf5fd02d79751ab474c8e824be2035eb3ac8beb28c81f1225d3b81487a955729503f54877deb4d88d1a2d4dbed1a0822947e4bc158fc7268

Download Submit
memory/796-79-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/796-77-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/796-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/796-82-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/796-83-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/796-84-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/796-75-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/796-73-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2528-0-0x00000000743F1000-0x00000000743F2000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-116-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-44-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-2-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-71-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2952-70-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2952-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2996-15-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-12-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-39-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-13-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-19-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-21-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-25-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-28-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download
memory/2996-29-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-42-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2996-16-0x00000000004B0000-0x0000000000648000-memory.dmp

Filesize
1.6MB

Download