modiloader | b15073458e2e5e7ead20275dad66d2fa9d49b7c9ab6cce2807446ec2e96e38db

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Size

456KB
MD5

d80e4760fd0c4e4d59062e2237115540
SHA1

50f15f4e93821ae6f4593462a56a407e4ff56e0f
SHA256

b15073458e2e5e7ead20275dad66d2fa9d49b7c9ab6cce2807446ec2e96e38db
SHA512

a045fd549e328f1e316b8134d5fdcd7ee589826bbd2f2cb704d4869a8af7968da229614d1e1b8f3578f02590f050e9ca1814317ea8ff1c403620c3a3b138efb7
SSDEEP

12288:RxwnVSwVni7zIkIzV6aj84FQt0yNDisbYfx:0VjiPTIzV6KFQt0WDiQsx

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 24 IoCs

resource	yara_rule
behavioral1/memory/2892-5-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2892-6-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2892-7-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2892-9-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2836-18-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2836-19-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2836-20-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2836-21-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2848-26-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2848-27-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-33-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-34-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-40-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2644-39-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2552-45-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2552-46-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-51-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2920-52-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/1772-57-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/1772-58-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/1432-63-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/1432-64-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2060-69-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral1/memory/2060-70-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2044 set thread context of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2928 set thread context of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2696 set thread context of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2700 set thread context of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2568 set thread context of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2544 set thread context of 2920	2544	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	44
PID 2964 set thread context of 1772	2964	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	46
PID 236 set thread context of 1432	236	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	48
PID 2340 set thread context of 2060	2340	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	50
PID 112 set thread context of 1932	112	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	52
PID 1636 set thread context of 1504	1636	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	55
PID 848 set thread context of 3036	848	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	57
PID 2904 set thread context of 2344	2904	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	59
PID 1188 set thread context of 684	1188	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	61
PID 1304 set thread context of 1948	1304	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	63
PID 1664 set thread context of 1480	1664	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	65
PID 948 set thread context of 2300	948	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	67
PID 788 set thread context of 1440	788	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	69
PID 2292 set thread context of 1868	2292	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	71
PID 2972 set thread context of 1016	2972	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	73
PID 1472 set thread context of 2132	1472	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	75
PID 2056 set thread context of 2628	2056	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	77

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2044	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2044	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2044	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2044	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2892	2148	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2928	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	33
PID 2044 wrote to memory of 2928	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	33
PID 2044 wrote to memory of 2928	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	33
PID 2044 wrote to memory of 2928	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	33
PID 2044 wrote to memory of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2044 wrote to memory of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2044 wrote to memory of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2044 wrote to memory of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2044 wrote to memory of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2044 wrote to memory of 2836	2044	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	34
PID 2928 wrote to memory of 2696	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2696	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2696	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2696	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2928 wrote to memory of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2928 wrote to memory of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2928 wrote to memory of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2928 wrote to memory of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2928 wrote to memory of 2848	2928	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	36
PID 2696 wrote to memory of 2700	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2700	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2700	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2700	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2692	2696	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	38
PID 2700 wrote to memory of 2568	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	39
PID 2700 wrote to memory of 2568	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	39
PID 2700 wrote to memory of 2568	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	39
PID 2700 wrote to memory of 2568	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	39
PID 2700 wrote to memory of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2700 wrote to memory of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2700 wrote to memory of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2700 wrote to memory of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2700 wrote to memory of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2700 wrote to memory of 2644	2700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	40
PID 2568 wrote to memory of 2544	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	41
PID 2568 wrote to memory of 2544	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	41
PID 2568 wrote to memory of 2544	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	41
PID 2568 wrote to memory of 2544	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	41
PID 2568 wrote to memory of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2568 wrote to memory of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2568 wrote to memory of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2568 wrote to memory of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2568 wrote to memory of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2568 wrote to memory of 2552	2568	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	42
PID 2544 wrote to memory of 2964	2544	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	43
PID 2544 wrote to memory of 2964	2544	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	43
PID 2544 wrote to memory of 2964	2544	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	43
PID 2544 wrote to memory of 2964	2544	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        14⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        24⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        23⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        22⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        21⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        20⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        19⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        18⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        17⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        16⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        15⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        14⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        13⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        12⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        11⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        10⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        9⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        8⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        7⤵
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        6⤵
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        5⤵
        
        PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
      4⤵
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
    3⤵
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
  2⤵
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/236-65-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/1432-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1432-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1772-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1772-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2044-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2044-22-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2060-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2060-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2148-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2148-10-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2148-11-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2148-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2340-71-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2544-53-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2552-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2552-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2568-47-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2644-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2644-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2692-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2692-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2696-35-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2700-41-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2836-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2836-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2836-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2836-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2848-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2848-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2892-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2892-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2892-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2892-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2892-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2920-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2920-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2928-29-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2928-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2928-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2964-59-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download