modiloader | b15073458e2e5e7ead20275dad66d2fa9d49b7c9ab6cce2807446ec2e96e38db

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Size

456KB
MD5

d80e4760fd0c4e4d59062e2237115540
SHA1

50f15f4e93821ae6f4593462a56a407e4ff56e0f
SHA256

b15073458e2e5e7ead20275dad66d2fa9d49b7c9ab6cce2807446ec2e96e38db
SHA512

a045fd549e328f1e316b8134d5fdcd7ee589826bbd2f2cb704d4869a8af7968da229614d1e1b8f3578f02590f050e9ca1814317ea8ff1c403620c3a3b138efb7
SSDEEP

12288:RxwnVSwVni7zIkIzV6aj84FQt0yNDisbYfx:0VjiPTIzV6KFQt0WDiQsx

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 45 IoCs

resource	yara_rule
behavioral2/memory/3944-2-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3944-3-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3944-4-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3944-6-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-11-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-12-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-14-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-13-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-18-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-19-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3520-21-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3520-22-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3180-24-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3180-25-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4428-27-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4428-28-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3480-30-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3480-31-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1308-33-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1308-34-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2052-36-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2052-37-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3280-39-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3280-40-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4648-42-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4648-43-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4876-45-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4876-46-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2936-48-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2936-49-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3856-51-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/3856-52-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/932-54-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/932-55-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1728-57-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/1728-58-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4076-60-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4076-61-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4612-63-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4612-64-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4496-66-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4496-67-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4204-69-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/4204-70-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2
behavioral2/memory/2684-72-0x0000000000400000-0x000000000040B000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 3944	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	83
PID 3084 set thread context of 1344	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	90
PID 724 set thread context of 2524	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	94
PID 4740 set thread context of 3520	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	96
PID 4736 set thread context of 3180	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	100
PID 2728 set thread context of 4428	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	102
PID 5048 set thread context of 3480	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	104
PID 2368 set thread context of 1308	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	106
PID 2124 set thread context of 2052	2124	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	108
PID 2232 set thread context of 3280	2232	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	110
PID 700 set thread context of 4648	700	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	112
PID 4576 set thread context of 4876	4576	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	114
PID 4456 set thread context of 2936	4456	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	116
PID 772 set thread context of 3856	772	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	118
PID 2756 set thread context of 932	2756	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	120
PID 2932 set thread context of 1728	2932	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	122
PID 756 set thread context of 4076	756	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	124
PID 4080 set thread context of 4612	4080	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	126
PID 1752 set thread context of 4496	1752	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	128
PID 1724 set thread context of 4204	1724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	130
PID 1888 set thread context of 2684	1888	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	132
PID 3608 set thread context of 1892	3608	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	134
PID 2956 set thread context of 4712	2956	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	136

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3084	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	82
PID 3656 wrote to memory of 3084	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	82
PID 3656 wrote to memory of 3084	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	82
PID 3656 wrote to memory of 3944	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	83
PID 3656 wrote to memory of 3944	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	83
PID 3656 wrote to memory of 3944	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	83
PID 3656 wrote to memory of 3944	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	83
PID 3656 wrote to memory of 3944	3656	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	83
PID 3084 wrote to memory of 724	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	89
PID 3084 wrote to memory of 724	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	89
PID 3084 wrote to memory of 724	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	89
PID 3084 wrote to memory of 1344	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	90
PID 3084 wrote to memory of 1344	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	90
PID 3084 wrote to memory of 1344	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	90
PID 3084 wrote to memory of 1344	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	90
PID 3084 wrote to memory of 1344	3084	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	90
PID 724 wrote to memory of 4740	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	93
PID 724 wrote to memory of 4740	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	93
PID 724 wrote to memory of 4740	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	93
PID 724 wrote to memory of 2524	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	94
PID 724 wrote to memory of 2524	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	94
PID 724 wrote to memory of 2524	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	94
PID 724 wrote to memory of 2524	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	94
PID 724 wrote to memory of 2524	724	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	94
PID 4740 wrote to memory of 4736	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	95
PID 4740 wrote to memory of 4736	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	95
PID 4740 wrote to memory of 4736	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	95
PID 4740 wrote to memory of 3520	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	96
PID 4740 wrote to memory of 3520	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	96
PID 4740 wrote to memory of 3520	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	96
PID 4740 wrote to memory of 3520	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	96
PID 4740 wrote to memory of 3520	4740	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	96
PID 4736 wrote to memory of 2728	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	98
PID 4736 wrote to memory of 2728	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	98
PID 4736 wrote to memory of 2728	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	98
PID 4736 wrote to memory of 3180	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	100
PID 4736 wrote to memory of 3180	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	100
PID 4736 wrote to memory of 3180	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	100
PID 4736 wrote to memory of 3180	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	100
PID 4736 wrote to memory of 3180	4736	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	100
PID 2728 wrote to memory of 5048	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	101
PID 2728 wrote to memory of 5048	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	101
PID 2728 wrote to memory of 5048	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	101
PID 2728 wrote to memory of 4428	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	102
PID 2728 wrote to memory of 4428	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	102
PID 2728 wrote to memory of 4428	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	102
PID 2728 wrote to memory of 4428	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	102
PID 2728 wrote to memory of 4428	2728	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	102
PID 5048 wrote to memory of 2368	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	103
PID 5048 wrote to memory of 2368	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	103
PID 5048 wrote to memory of 2368	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	103
PID 5048 wrote to memory of 3480	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	104
PID 5048 wrote to memory of 3480	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	104
PID 5048 wrote to memory of 3480	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	104
PID 5048 wrote to memory of 3480	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	104
PID 5048 wrote to memory of 3480	5048	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	104
PID 2368 wrote to memory of 2124	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	105
PID 2368 wrote to memory of 2124	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	105
PID 2368 wrote to memory of 2124	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	105
PID 2368 wrote to memory of 1308	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	106
PID 2368 wrote to memory of 1308	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	106
PID 2368 wrote to memory of 1308	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	106
PID 2368 wrote to memory of 1308	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	106
PID 2368 wrote to memory of 1308	2368	d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe	106

C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        14⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        24⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        23⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        22⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        21⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        20⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        19⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        18⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        17⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        16⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        15⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        14⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        13⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        12⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        11⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        10⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        9⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        8⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        7⤵
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        6⤵
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
        5⤵
        
        PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
      4⤵
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
    3⤵
    PID:1344
- C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d80e4760fd0c4e4d59062e2237115540_JaffaCakes118.exe D:\Hex Projects\mine.exe
  2⤵
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-44-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/724-17-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/724-20-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/724-9-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/756-62-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/772-53-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/932-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/932-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1308-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1308-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1344-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1344-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1344-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1344-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1724-71-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/1728-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1728-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1752-68-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2052-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2052-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2124-38-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2232-41-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2368-35-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2524-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2524-18-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2684-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2728-29-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2756-56-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2932-59-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/2936-49-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2936-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3084-15-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/3084-1-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3084-10-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3180-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3180-24-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3280-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3280-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3480-31-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3480-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3520-22-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3520-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3656-0-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3656-5-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3656-7-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/3656-8-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/3856-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3856-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3944-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3944-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3944-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3944-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4076-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4076-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4080-65-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/4204-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4204-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4428-28-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4428-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4456-50-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/4496-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4496-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4576-47-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/4612-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-42-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4736-26-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/4740-16-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4740-23-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download
memory/4876-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4876-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5048-32-0x0000000040000000-0x000000004007F000-memory.dmp

Filesize
508KB

Download