Overview

overview

10

Static

static

3

73fad7f43d...18.exe

windows7-x64

10

73fad7f43d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe

  • Size

    304KB

  • MD5

    73fad7f43d84bcda12adbfa6cd8e9ea6

  • SHA1

    1df1082319f6a9f37ed33c412881334be226f1b5

  • SHA256

    9a2c9d0f5f889043eac309a2111fdaae1f52b8b939e732ecb4ab7fa01753603d

  • SHA512

    19dff05edd6eae4660ce2bd407b165935282cbeefe01d81c070b7cfdf08125a70b448e38fc6057cdf9ba8a75d7ad2fca69cc26b50a5a5b62467feedfded8582b

  • SSDEEP

    3072:LGRb3FWp+W33MqSytZdiiBY3B6Qk5TZwBVr3W/s3O2Lb4L0FM8Q/:Labm3MUnpikT66GOCb44FM8

Score
10/10
xpertratgroupdefense_evasiondiscoveryevasionrattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Group

C2

46.183.220.104:10101

Mutex

K8P3I007-I4G2-R2U0-V0G8-T1Q3K5W771L5

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Program crash 8 IoCs
  • Suspicious use of SetThreadContext 50 IoCs
  • Drops file in Windows directory 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1244
    • C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4468
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Roaming\tmp.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2964
    • C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4956
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4256
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4732
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
        3⤵
          PID:400
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 84
            4⤵
            • Program crash
            PID:2460
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4436
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:8
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3892
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5060
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3836
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:548
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2572
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3868
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3516
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5036
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4852
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1200
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1204
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
          3⤵
            PID:1396
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 192
              4⤵
              • Program crash
              PID:4856
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4748
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1068
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4824
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4156
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3400
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
            3⤵
              PID:1940
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 192
                4⤵
                • Program crash
                PID:2712
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2040
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1920
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4000
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:5100
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3292
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:5068
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
              3⤵
                PID:2056
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 84
                  4⤵
                  • Program crash
                  PID:2448
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 92
                  4⤵
                  • Program crash
                  PID:2228
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 120
                  4⤵
                  • Program crash
                  PID:4284
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                3⤵
                  PID:1548
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 84
                    4⤵
                    • Program crash
                    PID:5072
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:924
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2008
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2300
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:220
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:5004
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4484
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                  3⤵
                    PID:2400
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192
                      4⤵
                      • Program crash
                      PID:452
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:3644
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:544
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:2448
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1620
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:4168
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:5000
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:2280
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:792
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:3788
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\73fad7f43d84bcda12adbfa6cd8e9ea6_JaffaCakes118.exe
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:4580
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4928
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 300
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Delays execution with timeout.exe
                    PID:440
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400
                1⤵
                  PID:3904
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1396 -ip 1396
                  1⤵
                    PID:1952
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1940 -ip 1940
                    1⤵
                      PID:2060
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2056 -ip 2056
                      1⤵
                        PID:3500
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2056 -ip 2056
                        1⤵
                          PID:3404
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2056 -ip 2056
                          1⤵
                            PID:2540
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1548 -ip 1548
                            1⤵
                              PID:2688
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2400 -ip 2400
                              1⤵
                                PID:1948

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Roaming\FolderN\name.exe
                                Filesize

                                304KB

                                MD5

                                73fad7f43d84bcda12adbfa6cd8e9ea6

                                SHA1

                                1df1082319f6a9f37ed33c412881334be226f1b5

                                SHA256

                                9a2c9d0f5f889043eac309a2111fdaae1f52b8b939e732ecb4ab7fa01753603d

                                SHA512

                                19dff05edd6eae4660ce2bd407b165935282cbeefe01d81c070b7cfdf08125a70b448e38fc6057cdf9ba8a75d7ad2fca69cc26b50a5a5b62467feedfded8582b

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
                                Filesize

                                189B

                                MD5

                                dca86f6bec779bba1b58d992319e88db

                                SHA1

                                844e656d3603d15ae56f36298f8031ad52935829

                                SHA256

                                413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

                                SHA512

                                4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\tmp.exe
                                Filesize

                                172KB

                                MD5

                                d5ac3689652f1d3566ec15d8ba4f088a

                                SHA1

                                aedd8e90ec29f1a0259eb31fab519a398cb4f205

                                SHA256

                                4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8

                                SHA512

                                6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

                                Download Submit

                              • memory/1396-58-0x0000000000400000-0x0000000000402000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/1412-38-0x0000000074702000-0x0000000074703000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1412-2-0x0000000074700000-0x0000000074CB1000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/1412-0-0x0000000074702000-0x0000000074703000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1412-39-0x0000000074700000-0x0000000074CB1000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/1412-45-0x0000000074700000-0x0000000074CB1000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/1412-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

                                Filesize

                                5.7MB

                                Download

                              • memory/2056-71-0x00000000003F0000-0x0000000000410000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/2964-32-0x0000000000400000-0x0000000000443000-memory.dmp

                                Filesize

                                268KB

                                Download

                              • memory/4956-23-0x0000000000400000-0x000000000042C000-memory.dmp

                                Filesize

                                176KB

                                Download

                              • memory/4956-26-0x0000000000400000-0x000000000042C000-memory.dmp

                                Filesize

                                176KB

                                Download

                              • memory/4956-43-0x0000000000400000-0x000000000042C000-memory.dmp

                                Filesize

                                176KB

                                Download