orcus | 15a56267ca5e39c679432257291333d4878e70650d419dca6c90b942377b043f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Size

1.6MB
MD5

f8d622954cef4882bc8a0a77ad399604
SHA1

0e904cebd41ae2aaa1947aeaf431449b319e07f6
SHA256

15a56267ca5e39c679432257291333d4878e70650d419dca6c90b942377b043f
SHA512

c4f9eeb7d9c49e742785b4a1f04ab677a9086d898b3c725bf9d32cebf4d5718a205b5e13f7bc64510f6169fef787636c49c45e3370f9ff29959514f867e893a5
SSDEEP

49152:RmizTCwwGX9AvRoaXp2kEfhHsXrAolZHTJx:Rvz7/+RzpMhz6Htx

Score

10^/10

orcus desk-100618 defense_evasion discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4724-40-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Drops startup file 2 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34Yearsname.exe.lnk	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34Yearsname.exe.lnk	ManiPool8.exe

Executes dropped EXE 2 IoCs

Processes:

ManiPool8.exeManiPool8.exe

pid process

4280 ManiPool8.exe
904 ManiPool8.exe

pid	process
4280	ManiPool8.exe
904	ManiPool8.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManiPool8Start = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ManiPool8Start.txt \| cmd"	reg.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exeManiPool8.exe

description	pid	process	target process
PID 2664 set thread context of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 4280 set thread context of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 904 set thread context of 4724	904	ManiPool8.exe	regasm.exe

Drops file in Windows directory 3 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regasm.exereg.exereg.execmd.execmd.exereg.execmd.execmd.exeManiPool8.exereg.exereg.exereg.exereg.execmd.execmd.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.execmd.execmd.exereg.exereg.exereg.exereg.exereg.execmd.execmd.execmd.exereg.exereg.execmd.execmd.execmd.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exereg.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exereg.exereg.exereg.execmd.exereg.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManiPool8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1936 timeout.exe

pid	process
1936	timeout.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exeManiPool8.exe

pid	process
2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
4280	ManiPool8.exe
4280	ManiPool8.exe
4280	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe
904	ManiPool8.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exef8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exeManiPool8.exeManiPool8.exeregasm.exe

description	pid	process
Token: SeDebugPrivilege	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: 33	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: SeDebugPrivilege	3760	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
Token: SeDebugPrivilege	4280	ManiPool8.exe
Token: 33	4280	ManiPool8.exe
Token: SeIncBasePriorityPrivilege	4280	ManiPool8.exe
Token: SeDebugPrivilege	904	ManiPool8.exe
Token: SeDebugPrivilege	4724	regasm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

regasm.exe

pid process

4724 regasm.exe

pid	process
4724	regasm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.execmd.execmd.exef8d622954cef4882bc8a0a77ad399604_JaffaCakes118.execmd.exeManiPool8.execmd.exeManiPool8.execmd.execmd.exeregasm.execsc.exe

description	pid	process	target process
PID 2664 wrote to memory of 5064	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 5064	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 5064	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 5064 wrote to memory of 3216	5064	cmd.exe	reg.exe
PID 5064 wrote to memory of 3216	5064	cmd.exe	reg.exe
PID 5064 wrote to memory of 3216	5064	cmd.exe	reg.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 3760	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
PID 2664 wrote to memory of 1832	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 1832	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 2664 wrote to memory of 1832	2664	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 1832 wrote to memory of 1936	1832	cmd.exe	timeout.exe
PID 1832 wrote to memory of 1936	1832	cmd.exe	timeout.exe
PID 1832 wrote to memory of 1936	1832	cmd.exe	timeout.exe
PID 3760 wrote to memory of 4056	3760	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 3760 wrote to memory of 4056	3760	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 3760 wrote to memory of 4056	3760	f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe	cmd.exe
PID 4056 wrote to memory of 4280	4056	cmd.exe	ManiPool8.exe
PID 4056 wrote to memory of 4280	4056	cmd.exe	ManiPool8.exe
PID 4056 wrote to memory of 4280	4056	cmd.exe	ManiPool8.exe
PID 4280 wrote to memory of 2952	4280	ManiPool8.exe	cmd.exe
PID 4280 wrote to memory of 2952	4280	ManiPool8.exe	cmd.exe
PID 4280 wrote to memory of 2952	4280	ManiPool8.exe	cmd.exe
PID 2952 wrote to memory of 1972	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1972	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1972	2952	cmd.exe	reg.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 4280 wrote to memory of 904	4280	ManiPool8.exe	ManiPool8.exe
PID 904 wrote to memory of 664	904	ManiPool8.exe	cmd.exe
PID 904 wrote to memory of 664	904	ManiPool8.exe	cmd.exe
PID 904 wrote to memory of 664	904	ManiPool8.exe	cmd.exe
PID 664 wrote to memory of 2580	664	cmd.exe	reg.exe
PID 664 wrote to memory of 2580	664	cmd.exe	reg.exe
PID 664 wrote to memory of 2580	664	cmd.exe	reg.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4724	904	ManiPool8.exe	regasm.exe
PID 904 wrote to memory of 4768	904	ManiPool8.exe	cmd.exe
PID 904 wrote to memory of 4768	904	ManiPool8.exe	cmd.exe
PID 904 wrote to memory of 4768	904	ManiPool8.exe	cmd.exe
PID 4768 wrote to memory of 1328	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 1328	4768	cmd.exe	reg.exe
PID 4768 wrote to memory of 1328	4768	cmd.exe	reg.exe
PID 4724 wrote to memory of 3464	4724	regasm.exe	csc.exe
PID 4724 wrote to memory of 3464	4724	regasm.exe	csc.exe
PID 4724 wrote to memory of 3464	4724	regasm.exe	csc.exe
PID 3464 wrote to memory of 1268	3464	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3216
- C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe
      "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe"
        5⤵
        Subvert Trust Controls: Mark-of-the-Web Bypass
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.lnk" /f
        6⤵
        
        PID:1972
    - - C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe
        
        "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
        
        "C:\Users\Admin\AppData\Roaming\ManiPool8Update\ManiPool8.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g8ykentd.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD15B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD15A.tmp"
        8⤵
        
        PID:1268
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1328
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3904
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2584
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3192
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2568
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3996
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4468
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        
        PID:3900
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4088
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4156
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5000
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4132
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3676
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:980
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3500
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:220
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:232
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3556
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4860
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4132
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5080
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:5060
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3720
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4108
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4484
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3816
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2360
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4200
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:5044
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3416
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4432
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4120
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:3368
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:924
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2220
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ManiPool8Start" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt" | cmd"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f8d622954cef4882bc8a0a77ad399604_JaffaCakes118.exe.log

Filesize
223B

MD5
cde6529abeea500fb852f29ba0da6115

SHA1
45f2f48492417ae6a0eade8aaa808d3d1d760743

SHA256
d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5

SHA512
c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234

Download Submit
C:\Users\Admin\AppData\Local\Temp\ManiPool8Start.txt

Filesize
72B

MD5
26ac1207f6db39ca0d1ad65d84d31486

SHA1
99fb6eab1f00e26aa4dbaea10502f6bcaa2c9a99

SHA256
fbe9af6dddb9c872e6fce6c643519f3cdf3719516e8c388a3524a6d121a835fd

SHA512
28db2596fc93344c701a3b9365117de130d29030372ef3d79501a930e13f0c056ec69061a7055d8ec633697f17baae1534c99a225514d73ee780ffd8bcd33633

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD15B.tmp

Filesize
1KB

MD5
76b60fa7702441d95e4c98370ca546fb

SHA1
2263f399918914e8883ef0e2f0b7fee6d224e8bc

SHA256
d098e2e543265423e0af988e6ee6692f708b09a161a0cf65c38488845f26d954

SHA512
a65b03effcf4ad43f0fb45ae30e133f1c24a922a751e5bbea6e13eff9df0620c53c6cb0f9dbcc3e2f8b80f136f6b8c4a0fa2ca0459ae7dcbefdc1ea9f09b8cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8ykentd.dll

Filesize
76KB

MD5
e97e9f980db6a9761c2db91034724084

SHA1
4b00ff7e11c7c76da5f8a417019fb0235bde0695

SHA256
0721977627a89b5238092720270146546d80913b1de01e3d5aab3f7ec7c0cd90

SHA512
39e205114348a22f2c50a15fcaef89c922f9b6a287e8f5727e1170519be46428b1918b632146c6def5bc70f429b5c821265abcd79b9527c2725fa24c99da8936

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34Yearsname.exe.lnk

Filesize
925B

MD5
c1835c976b808072b27aaf939ddc4ce3

SHA1
847d17755f1409aed63faa865681384da0e16df8

SHA256
fa906701368a4df4924d25e3a3be3ea40ba9a28cb027de1e39f4218a62bf98ba

SHA512
32c5cbececb5e43cef254209a8da45cab420b4fb799b40942e521a0f0609f52adc4d0fbf750c3bd0ed6677d2919244d104989cf1879d740a91eac8535a4f647c

Download Submit
C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe

Filesize
1.6MB

MD5
f8d622954cef4882bc8a0a77ad399604

SHA1
0e904cebd41ae2aaa1947aeaf431449b319e07f6

SHA256
15a56267ca5e39c679432257291333d4878e70650d419dca6c90b942377b043f

SHA512
c4f9eeb7d9c49e742785b4a1f04ab677a9086d898b3c725bf9d32cebf4d5718a205b5e13f7bc64510f6169fef787636c49c45e3370f9ff29959514f867e893a5

Download Submit
C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.bat

Filesize
212B

MD5
acd537d8e26cfc67f4f36a6091ab4531

SHA1
23196ed840f2faeb03c7d3a5fee94836b52d3ebf

SHA256
1174256ce7f8ec6745f41bf57aa5a4997e60d85b2ca784672ffeb365f29904b5

SHA512
41b3f296f0bffc069c156ac84e8e0d2db3cdf2f5b7370fdc1d3d9b2a083701d269f2805fbbc9ef6b05f40ea37ab0f18a7b4bec06b55642ec873c353e1f7e47fd

Download Submit
C:\Users\Admin\AppData\Roaming\YearFolderN\34Yearsname.exe.lnk

Filesize
875B

MD5
e1226379cd92f86cf84a43c2c1ee98d1

SHA1
337ab073f494d1d676ee4f6d133b54706aa02d23

SHA256
309a6c33404d331c6600350457bf2753daf8801526cb67737df13b77341f7c8c

SHA512
dd748545e2be4ab644cb3ed0728fa4d9634424baa3b215c85ac3db66c9d9d945344608deb00014980d3cb219225b4f7d83081933b8500d0bc8eeb7dde1fbef81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD15A.tmp

Filesize
676B

MD5
a50e82245d910c95c816da2abe021853

SHA1
d258bc8d8cf3d4502fc2d1991ec7276b1004ecab

SHA256
2673bf88ff74c7cf2e80b6366b23723bf9d1881fa62e7d0d7bd367f2edc7a501

SHA512
0fd439bf88cf7ca50b4dff93bb656ba4a56a47191617f81c04730ed800c12974be838cdc086ec39e6b0f9e66cbc74583b98d584f7c92f41d8b1a9e10e0903ab0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g8ykentd.0.cs

Filesize
208KB

MD5
6da3ba389a47b579e9fbbf7d8d91c340

SHA1
1810dd5c1e0810a10ff13d62fa6862f3b2556315

SHA256
30fba8d509db121ace79a2d79f6bf6ef9aac3a1da9c753a44e9b5a5f7fb6e14c

SHA512
f63f3aede1f040035324b4ed2621e3d575c464b57b750a892f2283fa3e40fbb013a4adb4eeebb8d98e33afe162b259a619dfacd10da94630c7c5d7ed2b55200f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g8ykentd.cmdline

Filesize
347B

MD5
3ed7b13f7ed46781c74463ddb33dcced

SHA1
5fbc41b3c5478cfe14f37d088cc5ff66d92247d1

SHA256
0473eac7667031f7cea9433bd3e2adde8f6b08f18259e27d47416f4f9c536af5

SHA512
494dc027b59ced8b6f542545c2adc81c905ebfb43bf0d7a171cd756a8ec06e8d9e0390fdc1dd9d333494e928934c39bc26a47365e7d6c97bec984373b6fa8c66

Download Submit
memory/2664-25-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2664-0-0x0000000074F02000-0x0000000074F03000-memory.dmp

Filesize
4KB

Download
memory/2664-24-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2664-23-0x0000000074F02000-0x0000000074F03000-memory.dmp

Filesize
4KB

Download
memory/2664-2-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2664-59-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/2664-1-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-22-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-13-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/3760-12-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4724-40-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download