f205efc58da5396bb6bff9d4af71889f525ff0cad6dac274e6f61f4fdf6039b2

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
Size

1.0MB
MD5

d11abfb770aa57350070a95f3d47dcd2
SHA1

3032cbe041d4ff5e97ead84a4057671f1c16f83d
SHA256

f205efc58da5396bb6bff9d4af71889f525ff0cad6dac274e6f61f4fdf6039b2
SHA512

0caa2ca261ce0ca7ac9c3710455e86b40c9921d92b6159485b43bb20457f2fd329662a2c8f6bdbecd2986313238217de5ac6a5502b51787829fb23929dc33036
SSDEEP

24576:bK8E+6SUmunH67nOs6qMPwvutzfAz3yyv6k4pj0ISQA6B:aHSMnH67n8dtzryyPZ0rQA6B

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1636	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2824	Green.exe
2872	Green.tmp
572	Green.exe
2660	Green.tmp
2092	sun18.exe

Loads dropped DLL 24 IoCs

pid	Process
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
2824	Green.exe
2824	Green.exe
2824	Green.exe
2872	Green.tmp
2872	Green.tmp
2872	Green.tmp
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
2628	cmd.exe
572	Green.exe
572	Green.exe
572	Green.exe
2660	Green.tmp
2660	Green.tmp
2660	Green.tmp
2660	Green.tmp
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
2092	sun18.exe
2092	sun18.exe
2092	sun18.exe
2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Speedw\is-NK3OP.tmp	Green.tmp
File created	C:\Program Files (x86)\Speedw\is-AVEER.tmp	Green.tmp
File opened for modification	C:\Program Files (x86)\Speedw\Speedw.ini	Green.tmp
File opened for modification	C:\Program Files (x86)\Speedw\oem.ini	Green.tmp
File created	C:\Program Files (x86)\Speedw\is-B043R.tmp	Green.tmp
File created	C:\Program Files (x86)\soft911\setup_2107.exe	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\soft911\green.exe	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Speedw\unins000.dat	Green.tmp
File opened for modification	C:\Program Files (x86)\Speedw\unins000.dat	Green.tmp
File opened for modification	C:\Program Files (x86)\soft911\setup_2107.exe	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft911\run.EXE	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft911\Green.exe	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Speedw\is-650P1.tmp	Green.tmp
File created	C:\Program Files (x86)\soft911\count.exe	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Speedw\is-650P1.tmp	Green.tmp
File created	C:\Program Files (x86)\Speedw\is-UMMHF.tmp	Green.tmp
File created	C:\Program Files (x86)\soft911\a	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Green.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Green.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Green.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Green.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sun18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000073e5a6aeef2c77973c8371ddb882ab7552d89e060b5d17f561f43ee477604bbc000000000e800000000200002000000078f338a134ec0e478853b4d1b9d4691da502e33358bf9a8e4897b9f0579acd0090000000ddfd6c1934d59954144d38ca0510389b0ef0a1fabd38d38ae1e17637d312e5c70579d23f30891bbf49a4d09252009aecbb5ebe2f81aa9477b4d947933028c09bb97e0f6c4a2d8e0e36e8b4bf45935b01dab10f4ffecce0531a8bc61e3ef798b8c28e04497453c0152932f9f9a6ed8501af8312edfc5a41e3ce43a9761344ca5f91b59288d54f3895c913b43e59e4070840000000242d49cdbe29deecbe0d8c459d6b642386092c6eaa97a5edfd8b7f6294c598c2d8067c56578b56e2a8fa77abc79b3306129bc13474ff02055e2d38f32540899d	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431846125"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0051e4ace000db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D54CFB11-6CD3-11EF-AF60-7ED3796B1EC0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000e4bf5682151778c12c2cd3ef332d7908d87c2f60acd95521f7204fa17f81f3d6000000000e800000000200002000000046b2abc8a135899f7c11c86d976d58ea368d04841c045fdc2247aa00c705b1db20000000cd3e2161f2f38114b8863465b3a5447b77b075b469dd446608e59f8c5ceba99040000000d1946bef6f0c4bb3ac3ffe39da66e53c887f81ed0cdd19f029140fd5d03ea3b9882ad6371950a24a0f196123eff3ac15832b4c2b92b09e57d10717ae4ad1a00c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2092	sun18.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1708	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2672	1708	IEXPLORE.EXE	31
PID 1708 wrote to memory of 2672	1708	IEXPLORE.EXE	31
PID 1708 wrote to memory of 2672	1708	IEXPLORE.EXE	31
PID 1708 wrote to memory of 2672	1708	IEXPLORE.EXE	31
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2824	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	32
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2672 wrote to memory of 2696	2672	IEXPLORE.EXE	33
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2824 wrote to memory of 2872	2824	Green.exe	34
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2872 wrote to memory of 2628	2872	Green.tmp	35
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 2628 wrote to memory of 572	2628	cmd.exe	37
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 572 wrote to memory of 2660	572	Green.exe	38
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 2092	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	39
PID 2344 wrote to memory of 1636	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	41
PID 2344 wrote to memory of 1636	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	41
PID 2344 wrote to memory of 1636	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	41
PID 2344 wrote to memory of 1636	2344	d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d11abfb770aa57350070a95f3d47dcd2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.yftk.cc/?000
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yftk.cc/?000
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2696
- C:\Program Files (x86)\soft911\Green.exe
  "C:\Program Files (x86)\soft911\Green.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\is-4UKRH.tmp\Green.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4UKRH.tmp\Green.tmp" /SL5="$6011E,744477,52224,C:\Program Files (x86)\soft911\Green.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\soft911\Green.exe"" /sp- /VERYSILENT /norestart
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Program Files (x86)\soft911\Green.exe
        
        "C:\Program Files (x86)\soft911\Green.exe" /sp- /VERYSILENT /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\is-E615T.tmp\Green.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E615T.tmp\Green.tmp" /SL5="$4017E,744477,52224,C:\Program Files (x86)\soft911\Green.exe" /sp- /VERYSILENT /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2660
- C:\Program Files (x86)\soft911\sun18.exe
  "C:\Program Files (x86)\soft911\sun18.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp2.bat"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft911\Green.exe

Filesize
978KB

MD5
64e38efc3ea1835950b14c9a348c99c9

SHA1
acae91f4d32ab9bab54ff501a278d7923a1a0599

SHA256
de7efb99d3f4c91146546dde2b8fb6d187ebd566ba3ebdea3511cba0ab1cb974

SHA512
68c3d31e8f812eedb583bb790a486249a9250c7306481b17075826bd835362f3047ac81600dd4674dc04af13f21b15b9fa0a28b4a6b6d96bd0a97217eba5dfce

Download Submit
C:\Program Files (x86)\soft911\setup_2107.exe

Filesize
2B

MD5
1ddb063b54ffcd13ed4440e3b9a0c92d

SHA1
dbf80ea61bea21e57c018ca48ea8e9cdb8590211

SHA256
85224a5c0186b205a3e0a1ac0ac023bfb8cc6f4bf19c90be88fc5f0c2316a9fa

SHA512
1f95eb70927dbf6421265f1356911649aca69ae149003b444ca6eb568c92806fe47ba6ebfe9ad4aadf442cf99f6e952fbc0b34bf70e90af9b4586ea101206476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fdfbd49f20a323918e5c9ec9e044199

SHA1
555ace1b895d1b294879b6601c704f471d545e28

SHA256
e4396fe3cd61327cc275ac28760e330777d7a925f689163b1eb6bb231af8a2fb

SHA512
6fed718d1a573d52c5dcf307c39a97bd1f86cb8f57729a7bd70dbe8f98c23a199cb11311fc15e4adb3279286a705f057137f176b58b822fc2cd0a9ab951b8169

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
343cd1be3e18de81db9bdba429955caa

SHA1
582c7d5997cd4f753bbd5151c9dd26e82fca9ec0

SHA256
6a98d96fbef44fe202011aea994c12e579b190a3aa3a3d3121b6635e517b76ae

SHA512
56a8c9261a9ea52a53cd0710b538c89ce947fab6e7944e880673e4ca1916b653d7a76cdc6c789db9cba46c4ec55a8a92e4bdbfa0cce04859d9ee76372e959e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09504e2285cecbb1e50fdf085e90fe0

SHA1
1c52937697383127098c79a74f40b492794923bb

SHA256
2c7c783b48b86b4747cf57c76a5e8481e5955f444bd6db7eefff5f9641961fec

SHA512
1375a558884bf175d37cd5653af1af3c6c2429fe9935d090f4efad96495061e7512702dc7573e96286d611047b4974799a0c789ed7798fb847a0cfe8eead1fff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fbe2bc9f2e857010977488db2d1a55e

SHA1
413398c36bbb4a7d607683baad9c4af2b280ba19

SHA256
b932d3c94ec9eae0312fda1381c7283999de06a45f3bf5f8c8b4c9bee792992a

SHA512
01fd0eed97691683d638fcbc8426af06d38aa23d51dd72bd5f697de73b258de35b21a25c9958e5be1ab5ea2426e675796445d29c732da15bd08c2b4e46efa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
015a46f003ded5ab85bfd22b718cf9c6

SHA1
e165c9fb66b58578300996210df603428d07d5dc

SHA256
251043dfa7ae51a06685e400a4d86bb029aea6d6ec0248f52ba9e514e0b0e0e2

SHA512
281cc31be0f75c884e5580f66af5b2f4f9f3352bdfdd9c7a0e804fbecfb876a364fcca55e05ad1e44aaee3ce76653014a1dac2bdf5a29234d240dd7f775e4ed7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e50e1b777e8927dee4c6d196c212cd0

SHA1
e7e4d44e47ae0671a2c9b75b0dbf0437041edb98

SHA256
4835757cff330bb1c0a506e2eea5ac077af2380ccebfbb0fd2e3a2d0dfad2b02

SHA512
28ce9fac105e43aa523c1d019dfccb5192c67a321e0d974672ccb3a6eecf05ea653deb91f3d5e86f68706623907ca8326a05554a3c755e5ae788bdd7e4fa5850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75f719a67ab6f55d082f1f702f42d10

SHA1
53d5deb2a6944635d079b02aba9fc09f042306fc

SHA256
9f8c75b6e539e341ea238739fe9774e37435615efb3fd0a0c9103167a131e5e0

SHA512
a4fcd0b9f00c3c83c838be78a04c8ff8077065affa07484664f25e1420f6dd1050001266d7028aafc6e69eb0fc4b8f2bd3b21f451d070bc9858b46f71c1456b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b13c53d04c55e84ba5d6307f99838792

SHA1
58e690209983e5026a72a6cf02c3f52aa15c275d

SHA256
1b8eb58c92068bf129cac556fe5977e6cfa4b2b68a1d721cf68fc85e40a96bd2

SHA512
2d5ebbb35ffccb03938f618e5abbf6a11628564bece4b7ed8dd526773bfbc5d0bbdac428ebe152484d5ff25b0112fdbdf2959fc7cc43ae1e77e53fcc6e30e2ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8a012c704b59893a477e2ac5d342c3e

SHA1
56534cbea5f7b75611067f20e87f447a38693c1d

SHA256
d87890eb2263c130a2f58f964e89c0e245b76c1a28277442beaad0bba1f97809

SHA512
7d8fafe5b350ed164a2abac992f4b60e68081d299afb8504d4c5f044fdcde298eeaa3183e7fd018772ca017cd55afcb19e4097c833ed8b3afcfc686736caf5db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03c4fbe8b22af3fbaa5edbc0acd5ae40

SHA1
87c7d1b957c705f6be414dbd95c055f3f8d4eb5b

SHA256
846ef5f6664e707600985e6a8d61b83ea2dccb3a9c8ec0a404649bd8ad3540d7

SHA512
6397eb713a6027a3a062efec60e1994a95e510692ba86149b2274f4dd6c7cfd288c2e36cf0b6ef380194328a486272c80c31db18ecf16e356e2dcb7a043d16c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
459a1f876208a8c909fb2e5d60098881

SHA1
dceb641ca895a686c917f2c704623c98165d25dd

SHA256
4a0f11b3d167b81c920e071be996d7ec33497112c2309c6726e2d730171f5c4d

SHA512
52e2c3334f5186e235b6d6b7a440388f0b5f843624af3c96f6fb8525a6d7ec47923f77d9edc086aadb54e146459bfde75256ad9bd293667f05a0a41a08eb17ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94a2b6a8f1de6a99d1d2f8c0476c87ac

SHA1
0f69c59277c6c530e49ccabbc1cfd323a46c1484

SHA256
32aa3e170d497c71796746c6e6d69b0a6d97dc5127c928850ca2fca162b4d8da

SHA512
225afe3bf86e2500908417966b28baeb4025074934d231cf6540cb9e895ec5fc213a47be2d5b310d65ecdb91b212b5d2c32ddebd637bdf289bc05a730e2add5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adf697a2bc9325c4dfb7649c977fc892

SHA1
860a598e66ddc5b4e4023a293a348944e5f0417e

SHA256
19a172e217ae0d7257fef9222d6e448f6d9dada556252a6821ca23e4fb54bbb2

SHA512
84d68d02f9b76fbe3d747e87028ab9773da27692c5172a8bd99504a218537de1c9f4890b8e00b09ca9a951a18d41bc50557a768b7f1c95a6277af52d5238252f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
014010d0408d3a1c341e6a6a469ecee7

SHA1
eca0208e1b6a941ee445906bfe83c3457a819ede

SHA256
7a64d891c39de8794eb0f762b06f82009aeef7e5e6969b17f9fd6774005be0c9

SHA512
c748e825f553f795dcf87d609fbf2a1870662a6e07ff91edf46579ae04d2d82536a55606d1f5ef7825436486e2e453436b34452b7095be9310610beb07dd0e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e49dcaedc4c19a71af536d61a8d0753

SHA1
be719b68b7408e47c946107c7e2ff6fb3f0d06d5

SHA256
d61c719cd5928d9d3ef7603c585c33231ec237570cc82c7063107ce1431d5720

SHA512
0d97e861a96a5a2d7ad2664aa4407aa717143fa3f3421c82c3f954576fa535df1d663819ee6aebccaaae316a4454ff319b7902fdc690272b66145c211e162c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cc9601afa5325e4938c8218c1a0575b

SHA1
3ea6680b702a7dfbefd0406d4a1d401bb6510e36

SHA256
b64f14e79b7b09a52d72c1db5804da363c356fb597b237f6bb0fb8087de447bc

SHA512
4022c5e494b5627bd18279a61db3f68dca2416efb1f92f2e4db57d251ce0cc4648a6f84334352a06e7356dadbfebdc3de5277a866b4013287c486208ca2e9c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp2.bat

Filesize
420B

MD5
cf263a10dcbe7341674e4ba11cca4517

SHA1
d5bf64d14841ac91982d4b4cd46990349d3db386

SHA256
1641972b6cfa1dd0f0233e7f2ae1bf95b3e1187b48936b7401403b71915a22f5

SHA512
bb6e311e5de7702156775db055a23e9c83f2d65ecb9639a7e0da0c24a94c1e9add3b4e3179788577f4874935560de2fe651f9623cb4c825093c32141ddc5a8a0

Download Submit
\Program Files (x86)\Speedw\Speedw.exe

Filesize
1.4MB

MD5
548f8a2766a9c75c9c43c5d583e80d34

SHA1
0259de3e8fe1e5d99bae06aa65253d1e7cc1419f

SHA256
a4eee83f86d97bfe06b96c9fea3228f392bd5d1c1ea05499bfa26956dc039dcc

SHA512
4324f721690ccc8ef62f2ac27a45717c0892f7747695e4800300c497c04b60dae0e3194c4ea5fafdfeb72f94665f31d97e3bf5f6c142f32d14bf3207eaa5e26d

Download Submit
\Program Files (x86)\soft911\sun18.exe

Filesize
40KB

MD5
87730a2424bc90141d6fd85e2161763e

SHA1
1ccf9da7cc09ac2484164d342a68d2dbf080b59c

SHA256
22d0bcfb872080641aa6d90c990c3b7e184d2f7f61fd91c5be133e4a74d8c0e7

SHA512
e1d64bc6828798f51738ecbc9afb5a8d6f6cfcecc031b7c12286f6f9822545f4bd5398563ed71581acc1f086e343f458327acac94f8fa62d746eb49606a3c099

Download Submit
\Users\Admin\AppData\Local\Temp\is-0NH2G.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-0NH2G.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-4UKRH.tmp\Green.tmp

Filesize
707KB

MD5
bf6be714c784b9157099cbc15df5b38a

SHA1
20303eec37cf9c7277a3f42ea4c74dc35fcb31e3

SHA256
40ea597e3a3825c9ccb672f00f6229991914e03b9fd66aa7898ef3dcc255bafe

SHA512
c5c8097465d1418ffc6806c0f5c4a21277042580975bc0bc1153e5245bbcfcc11ef13d6ef001a1b613910da2abdf452a5432488f7ff3fdd6ca1450006f75cb0d

Download Submit
\Users\Admin\AppData\Local\Temp\nst178.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nst178.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/572-95-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/572-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2660-94-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2824-20-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2824-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2824-41-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2872-40-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download