0674a9370b11490624738f77781ed6acec5485f5d5e4d5e76209ca99d369b325

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
Size

889KB
MD5

8a5f051b4f28f1c1e11625ef65416e8f
SHA1

4ba7a2254ae00713d6f68c93c6018401b0341df7
SHA256

0674a9370b11490624738f77781ed6acec5485f5d5e4d5e76209ca99d369b325
SHA512

1e1c19a551be9c8702b232ed21c1999e025240407ab0eefef6cb94498f699557d9d78958a54619e1c6122513614633a5c7690ce9cea1f8f439120af13413b0ee
SSDEEP

12288:KDMZ2UOv2HCCVIiG6bmp6wyNBUJmHDrRfk9qKv6a+cN8Lf1VMNc:zZm+LG6bmp6hNBUJmHD1gvBNKNVMW

Score

8^/10

bootkit discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\sysvservice.sys	TTSetup.exe

Executes dropped EXE 4 IoCs

pid	Process
2088	SeMiniSetup_3170_1202.exe
2524	drInstall.exe
1152	TTSetup.exe
3032	gins.exe

Loads dropped DLL 8 IoCs

pid	Process
2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SeMiniSetup_3170_1202.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HookPool.sys	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
File created	C:\Windows\SysWOW64\drInstall.exe	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
File created	C:\Windows\SysWOW64\gins.exe	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001659b-13.dat	upx
behavioral1/memory/2112-16-0x0000000000C60000-0x0000000000C73000-memory.dmp	upx
behavioral1/files/0x0008000000016645-29.dat	upx
behavioral1/memory/1152-28-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1152-36-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2524-45-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/3032-50-0x0000000010000000-0x000000001003A000-memory.dmp	upx
behavioral1/memory/3032-49-0x0000000010000000-0x000000001003A000-memory.dmp	upx
behavioral1/memory/3032-47-0x0000000010000000-0x000000001003A000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\msclientlogo.jpg	TTSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SeMiniSetup_3170_1202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gins.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008cf1f81a71291346b058c6231e72e30d00000000020000000000106600000001000020000000f93cbfd913dc283baa5dee08696e57343c4f3f2be2710c8f3e08e4bb7d4b624a000000000e800000000200002000000092446ea6486d61c9fbf5b70cc9f566b036496ac5e7d0f836474f03426e1ca769900000001dc75a15c71be9b4cd9d89bb2e9030c1bea0a6cc07af56b1628fd263bfc07b446d284b8c7ff2a0e6c5a7a74064834bdf1020db5a451302de1fac6593ed5b763953c86f70f71efc2aafb12cea2243ff52a2a6535510de91d2d39b95a6c4a6acf7f633bdf4092a83e07d3e17150c0e62159765c56089eda5d50ee6d300ae9d70af3d7cac4b434915c9d71f7096976d39a540000000e41f3c03c2a46e7f626c49251276e8de8181a458327991be8720bf74555c0e2db0c73e8baff1e873e6b193473b2d50bb9800af78542b7d7da95c407a525e7f24	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449302507"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008cf1f81a71291346b058c6231e72e30d00000000020000000000106600000001000020000000ea181c4a117cf8f9d4880d11a0060a7731d1ed537b458aec36be811c2c927be3000000000e8000000002000020000000539aefea8acc883d33e5dcd2c5160ef1cd0c1a26f6cf6838c4ed79feb7896e68200000003cb0c84085da584c7bed0c66661bc543a13de0acfed4de0bf54c40d37af381434000000057392f532a3b0d1d73bbae202f790e137dd9d6acd5cec44758f22b78e79bfa8d39a00b0dbc1ddf2aa0be9a5b31145213fd389fd5f55f27934fc0506b842e2058	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b083297ca49fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5E90B31-0B97-11F0-B5A6-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2088	SeMiniSetup_3170_1202.exe
2912	iexplore.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2088	SeMiniSetup_3170_1202.exe
2088	SeMiniSetup_3170_1202.exe
2912	iexplore.exe
2912	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2912	iexplore.exe
2912	iexplore.exe
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2912	iexplore.exe
2912	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2088	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	30
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 2524	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	31
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 1152	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	33
PID 2112 wrote to memory of 3032	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	34
PID 2112 wrote to memory of 3032	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	34
PID 2112 wrote to memory of 3032	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	34
PID 2112 wrote to memory of 3032	2112	JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe	34
PID 3032 wrote to memory of 2912	3032	gins.exe	35
PID 3032 wrote to memory of 2912	3032	gins.exe	35
PID 3032 wrote to memory of 2912	3032	gins.exe	35
PID 3032 wrote to memory of 2912	3032	gins.exe	35
PID 2912 wrote to memory of 2616	2912	iexplore.exe	36
PID 2912 wrote to memory of 2616	2912	iexplore.exe	36
PID 2912 wrote to memory of 2616	2912	iexplore.exe	36
PID 2912 wrote to memory of 2616	2912	iexplore.exe	36
PID 3032 wrote to memory of 2128	3032	gins.exe	40
PID 3032 wrote to memory of 2128	3032	gins.exe	40
PID 3032 wrote to memory of 2128	3032	gins.exe	40
PID 3032 wrote to memory of 2128	3032	gins.exe	40
PID 2912 wrote to memory of 2392	2912	iexplore.exe	41
PID 2912 wrote to memory of 2392	2912	iexplore.exe	41
PID 2912 wrote to memory of 2392	2912	iexplore.exe	41
PID 2912 wrote to memory of 2392	2912	iexplore.exe	41
PID 3032 wrote to memory of 2724	3032	gins.exe	43
PID 3032 wrote to memory of 2724	3032	gins.exe	43
PID 3032 wrote to memory of 2724	3032	gins.exe	43
PID 3032 wrote to memory of 2724	3032	gins.exe	43
PID 2912 wrote to memory of 2652	2912	iexplore.exe	44
PID 2912 wrote to memory of 2652	2912	iexplore.exe	44
PID 2912 wrote to memory of 2652	2912	iexplore.exe	44
PID 2912 wrote to memory of 2652	2912	iexplore.exe	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe
  "C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Windows\SysWOW64\drInstall.exe
  "C:\Windows\system32\drInstall.exe"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\TTSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\TTSetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1152
- C:\Windows\SysWOW64\gins.exe
  "C:\Windows\system32\gins.exe" /p-10611/-s4972/leoaedo
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.so456.cn/cjtest/conf.jsp?v=4&pk=10611&uid=zWAZXZhUr/augtkr15fLh6q4rSnJmYyj
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2616
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:209945 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:472084 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2652
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.so456.cn/cjtest/conf.jsp?v=4&pk=10611&uid=zWAZXZhUr/augtkr15fLh6q4rSnJmYyj
    3⤵
    PID:2128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.so456.cn/cjtest/conf.jsp?v=4&pk=10611&uid=zWAZXZhUr/augtkr15fLh6q4rSnJmYyj
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
846cdb7a06950833de276962dbb83378

SHA1
c5bfbcf476d18419cec9cd428d81fbfc077dc1bf

SHA256
153fc28de3e73692292c4d1017f0bf5a4fbe29c7f726a3ceb90d12529c2b47b9

SHA512
d80abcd1a05385da1053a0f84e5f15c8fa974ddefc16b4e8ed2038bf9bd1aec909895dcf0d6d7d312e13a72b642af5e0d96b099741212295171842b323f89926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8305ff279735f82a894642c6b21f1cbe

SHA1
9c383cf6c283d80d4b3402938dae0e2e2ea4e268

SHA256
76a8a4d55d16b9cef880706bdb44a933845062886b1c54abfaf4cf41c6514bd8

SHA512
030e1d0721673a9f840f8716ce7f3e61ecd2afdc9341196632dd2a7004734d9561380997b78a2431b2d2137bb741846bf069de94c892ac70d3c96b40cc71b1c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63e574dd9cc9e25b79afaa859432f780

SHA1
d6a225ae39bf47384a123625cff8d545ee98ed0a

SHA256
58265a6263a5eadadfa82f83c170d5acf00ef646ffea536d3f7895b0b54a5e1f

SHA512
b446f498e05685b33b52ad0a371a8e7e2aabafd962f264a846e14e6fbeac02eb71330a22049e9c9838d17c4597a3ce676ec61ca8c47f4caa8a02b8289e2e0fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dd64fb832934a6bd225ab8b508c1957

SHA1
d4da27db725fc616474e8886069925a141e44ba0

SHA256
c14d017e1ffad67fdfeef92c6a5865ad17999c88affa8ac4e8e542437fa2fb3d

SHA512
609dce411aa172f54b081558007bc988b2d220c45ec5e4139e1f55ef9bf72d5e979a17bc90d53e05ee3a5310972bad6d261f5c5d53a5208a10ce62fa4a2a5b3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89ea56a540c1b29d6256b9f6790f9de5

SHA1
2531b15f4f9add57d1d43981c6467a789ecf1295

SHA256
c757a7a9f99364e812058b037d712b3570ea30307077bab9587734c7a0e1eabf

SHA512
b634ef102fa992f66cb702cd765317b214d925dacbb76b1780fe304880c2b49d3d230f8a58b9ee9e639ba90f04b75439f27bbc8447edc279fa1659a7db2e20a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e05bfc15154e9bd9832c7d4f0dfbe182

SHA1
e17cc3e6b2075001fb65f40bff30d05a2319b009

SHA256
db93299f2b72214dd94b7e600cb5d0a809b9ed185a72cf4cc99de0242d708149

SHA512
c6f4ed9670b78114b193ab66439410070b419d1554d5d88ce9accd310bd937b39350f56982b5ea1f3e18c03e953ddd029f756945f2931ed906f280ee6a4a7264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e4ea4975f8bb71779dc1de489b37f2c

SHA1
226445e4fc9b8ea22d3e5426c75477b767492981

SHA256
f8e082fb5db6d27c3643f978a3227d009671df5c5b3eafff66def9e8301dcbf6

SHA512
b4fab45a74e5eb831e86de3d66917b84bc00ce05ec64abeb5b53799dbdc921a8c5e98719c861975556fcd1f8031667df9c3778fcf681bd10230e8c7368281951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
285dc4c1a052f70fce4970467c2d2575

SHA1
72fe855999daf09eab266b5d6864003beabf5f04

SHA256
cec5349121876c5f721bf11cb9eb361d86a79bfe725b67da2a6a7de2926f208f

SHA512
4c144349e5fe7d6dcf108afb82909b018e28a4faeae8cf9af28595912ea5296526f7c278b06c9bea58491ccce0b59b2c58b1362d51ac229d667551912918c02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5629f3a97b6168f2d5370f76273026b6

SHA1
b316205559b78bffb2d635363df739592e5af354

SHA256
2e464d9ca1ebbdd2e24318f779d7581fa03a314627747876b3e78754bfc6467e

SHA512
5778a725aa7e0b9bd9a455281961753601cc93648b04e3af1c1984676ed39ff9e72adb11228d961d2888f8d3d4059fbb09d3e014214b76c791691280d013ab78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
883c4921fb72f1ba40e7a9003ff79919

SHA1
87a16145124f9a347af49ad00bd75b2bb0c3e18b

SHA256
51d92b3f6ae44ae1feffeb7156dbd92cb9c8b31a17213e17a03df905f8d6ae2b

SHA512
5f341f1755d3ea2615c3703d6de2bab14f14587b0cb4e79ff8f46382bbdaa22ecbc47d3da6032be5184458ad9b6144ea69eeefb0e8ec0971642019ea28f49687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bf325ff11a2cb17fe7b74e0976ea2b0

SHA1
74fee9ed53adb05e62af49ec41f37b96645ecdc2

SHA256
4a7ebc66977a3698a05df9fff662907807b38716d613644743ab1aad2439eb35

SHA512
f42e1a5799daec05821e1539fde62d463fa6f3564b1f195000b66c190d697dbc13a57711e62d76eaadbd7ae1459b3ee08851fa4fc3e27134c518f7752604dcf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49181322531ee493e703d6712dacd70a

SHA1
0da48301ce0340cd964a8f490eccb6b72b8acead

SHA256
270b79ef057f584e4c46768e55090273f6346795652d441117dea5ab0c2f64c0

SHA512
dc7a845b3d365ae681ba38e4a56741e20adeecfc5cb764e92d083f300f5f446f729860bfdcc72aa11349950d91445fb18e789df9d43c4d0e882fe154a009786a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a186afdbd1e2b66e76def80e579d7b84

SHA1
b106eb97c688c170a29e39511a463ca76fa5a827

SHA256
767baa7f34c2d0c7f00ce3ab47a0808ec6b272970cdcba546a8aee0c280b4f8b

SHA512
fddcb94d5ca2937f67cc95a06f3fdf8e29c8cefd913472a3c9ab34c4a614cc419942723259d9b5a12ea7c825f928434455f072404a6be3101c6abbe499dd7a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5b31843544b011b0061eede3550c15f

SHA1
e605a50df70bc654f2ab4cadaf76ff7feab84217

SHA256
d44847e52f8277e43fb911a20b86eaf647ad51cba5d313cdd5f11d26a2b9da8e

SHA512
b71cce692fcb79829ddbe62a27b9c15ceef9b7c1d23150616daa147ce88db7143b0cca80529659771b42424518b630a9691dbd3bec48083c6280f5da66a318e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c1139105ee4a2bc8b36bc78c61cd758

SHA1
0108767ecaedd341cbd9362fcc1e9badb94db101

SHA256
eb4ba3cdb5cba9eb92edf04edce7b117abb4867461fb14b85f63b112fd23ba63

SHA512
ad3cb23fa0e8c41db4e17cbb55d5f6f8e81929fe51fd04ff5be732a84b60c11131d81e0aa3e93dc67e959151053581c8e3e952fdc44f722e5ec81611653817b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48d94367fed97507f83cea75f88ea7fd

SHA1
032de59702778440a54ad1745cc2e74075c47926

SHA256
44f0943338a85bc15116ac75b865ea5ecfcd3c271219b05a2112f65cb11ce02a

SHA512
fb13e17cb0c9f5be2e4abee4e9fed8fba135a2d44e54e2af38ddd28543ec4220a208f0c2f3545d2a5aad4c189bad4ec83500827f81d067cf1ec6a5065002a096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
158a4a40140f6b0c42829c6cb30ff058

SHA1
39e56b24b14be908e34b5b52038e6403435821ed

SHA256
98d5e509008f90e71f46f1c06590754be5d624d045739ce006b61f1746e3edb3

SHA512
1c8abc79fe72653e217f33fa5766a4422e6199d92d96a7a46bb0efc3b28a18b46a348fdf57347e0dd6bf76173abb73ab8e7bc7267852bf973d414332ef060b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e34bf6aa36eb666a80b8d6ab1de90a46

SHA1
c230922803b1f7a6bd3ae79deb26756ad316cc2a

SHA256
ce066c89c42477fc97bd694c9792d01b379c90ace21f85eddd90730cecdbfd63

SHA512
af45d53da8451be6a23950479055579532347f5d60949bfaa95a43c765dff1b730e2ed67b563458aecf8ef7e03aee3f07066b41d7b07db054336ea273196e51f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e4afcca73ee653c5b90bde68711128a

SHA1
151aa2f49c47c9f20b9382921a55c0f86b4e360f

SHA256
05aa7e0909902e6eaeb746a286ce421e72fdf2f9d06a094e10fdd9a8db433ecf

SHA512
438708a96fb0e6b2ce30439b324dad82c6803bdeda3339ee149939072196cb1d4818fca96b573e62af64e1370315afeef024ea2c8d342eda2e8d6989a8438ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e384e66a1bb0529cc5f3614ab2251354

SHA1
b9a15a562bda85f1105f1e044abde9ae31019bae

SHA256
fdde7ef6c9eb55776cceb808e9402c469665c00abe31d71eadcc07bf6824e804

SHA512
511ec77067cd1a6c6e88cd3cb995e16ada4eaca897f992ed6299e2b5dd37eee5df74f0d8f9e0b7ca79fb0ae0e85e9b94f3d4614bc6fd40908a465e54f44abe8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d99d81ec049355802cb3a5dce8a9f76c

SHA1
25d21f6377553b847b52e4a5e492a01d5cafa83a

SHA256
e7bc75a06cb5d04fdc9127cbb03780de2b67e2cbd5d809ade1509c6fe72610a7

SHA512
40202118ab22514a6e4da0386dd2c2b31dc9bbbd7dc0f9b55e309e7b7c8604d8142bd41ec7b0754b135b05b4618ce2d69489e08ea04ef19c855efa7413feb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE4F5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE574.tmp

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\TTSetup.exe

Filesize
87KB

MD5
9a19004a1ac13005b17a1a28732100a5

SHA1
0e6a8a911a1397154c4da68547432f2929d69718

SHA256
7a49567834a7868336b02fe25abd08bc4a47c29c466137d4e4b37db36006593e

SHA512
a7ef22d35efebb75b896a56e226c15343ead69576d805198add47cdf031dc548cc5116a4824015248bec9c9fe5db9fda18ace656a987acf409cc8fb30ca69423

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5A8.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe

Filesize
173KB

MD5
f7c61469c6f620345969e1654f3d8ce5

SHA1
25ef4a62e384bf53505b04b77078a7348e8849eb

SHA256
9f2aad3392eba89353494d3136e65435a37740a8143503b23e6fe55c27a3c84e

SHA512
5a0e127e78a29fb3f0d0c8935b590c0c702c5e4e1907e0dac969f79ff6a242deb1b2ef66144371a37bce8a99f611d8a3a88978f47e8f097feb3303434bc1c889

Download Submit
\Users\Admin\AppData\Local\Temp\pyd.dll

Filesize
82KB

MD5
2a23408ebe5285f0a76850366ecf25f5

SHA1
d38ca629f27f150869d725663842c1af680a1ea5

SHA256
ccbc1ede8afc097b0ddc0b9fcd2d160856c35de77102c1cf5b5f37635d1ba9dd

SHA512
54a946897300ffa3588abd30bb3d850f5ec55283a2dbae4ad8f19e1269361bac23228a1a0d881c4ff9c3df02ebe0b4048730b155a7e2d60c53ed6f66ef953991

Download Submit
\Windows\SysWOW64\drInstall.exe

Filesize
25KB

MD5
635d1f8c9c39a393840df7f352c10c9d

SHA1
8514f914961d04b8429c36182e8dc28e2909e135

SHA256
d1a204e0aa9dd4feb37ae32eac96dc89cd03be642c1b4a14fd5c95da463e4f32

SHA512
1acb5f84d0ba5f459963f2582acfffbb8335b83fc4bc7cb288412dbf3deb969990b733b71996908247713c3f10ad0e18906f3a7818c292d1eb37fb449c528576

Download Submit
\Windows\SysWOW64\gins.exe

Filesize
355KB

MD5
b9895803749177aa81d77008c3be67a8

SHA1
a222ae972db82897a071dd868ba059e2f59fce3a

SHA256
b3c94776c381d09d8ad0fd57e0c6332d2fb61081915e0f245608fdddca98a014

SHA512
cd69645e9a16a4344c40e02bda17bcb3c01909249925acf8fb33b43e6c0fb47a047074c41938cd6ca86142cd5411b59ac0d6a57c55c14431bcd5db95c7b4c0b8

Download Submit
memory/1152-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1152-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1152-30-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2112-26-0x0000000000C60000-0x0000000000C7A000-memory.dmp

Filesize
104KB

Download
memory/2112-16-0x0000000000C60000-0x0000000000C73000-memory.dmp

Filesize
76KB

Download
memory/2524-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3032-50-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/3032-47-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/3032-49-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads