babadeda | 716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25

Resubmissions

19-01-2022 16:33

220119-t2qk5abeck 10

25-11-2021 12:40

211125-pv9m7sfbhq 8

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-01-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Size

7.5MB
MD5

4ec77eb8280485764b6bc22f6cf7d57e
SHA1

85215638743eeb6800aaada5d057e96032db6906
SHA256

716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25
SHA512

770b14b133ac0a7bfee3a973d43a5342cd021a731f1be4d557a332aa4945dbb9be6b25909291feeb766c3fd640ff943780d4172e2fe6f6c77a128585e7914954

Score

10^/10

babadeda gozi_ifsb 2002 banker crypter loader trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2002

get.updates.avast.cn

huyasos.in

curves.ws

rorobrun.in

tfslld.ws

Attributes

base_path
/sreamble/
build
250211
dga_season
10
exe_type
loader
extension
.sre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml	family_babadeda
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml	family_babadeda

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

4 956 msiexec.exe
5 456 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

plcd-player.exe

pid process

1988 plcd-player.exe

flow	pid	process
4	956	msiexec.exe
5	456	msiexec.exe

pid	process
1988	plcd-player.exe

Loads dropped DLL 11 IoCs

Processes:

716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exeMsiExec.exeMsiExec.exeplcd-player.exe

pid	process
1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
1072	MsiExec.exe
1072	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
1988	plcd-player.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\W:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\M:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\T:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\Z:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\J:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\R:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\F:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\O:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f761796.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2035.tmp	msiexec.exe
File created	C:\Windows\Installer\f761798.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f761796.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI217D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f761798.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

456 msiexec.exe
456 msiexec.exe

pid	process
456	msiexec.exe
456	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe

description	pid	process
Token: SeRestorePrivilege	456	msiexec.exe
Token: SeTakeOwnershipPrivilege	456	msiexec.exe
Token: SeSecurityPrivilege	456	msiexec.exe
Token: SeCreateTokenPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeAssignPrimaryTokenPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeLockMemoryPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeIncreaseQuotaPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeMachineAccountPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeTcbPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSecurityPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeTakeOwnershipPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeLoadDriverPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSystemProfilePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSystemtimePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeProfSingleProcessPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeIncBasePriorityPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreatePagefilePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreatePermanentPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeBackupPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeRestorePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeShutdownPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeDebugPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeAuditPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSystemEnvironmentPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeChangeNotifyPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeRemoteShutdownPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeUndockPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSyncAgentPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeEnableDelegationPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeManageVolumePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeImpersonatePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreateGlobalPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreateTokenPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeAssignPrimaryTokenPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeLockMemoryPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeIncreaseQuotaPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeMachineAccountPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeTcbPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSecurityPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeTakeOwnershipPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeLoadDriverPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSystemProfilePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSystemtimePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeProfSingleProcessPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeIncBasePriorityPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreatePagefilePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreatePermanentPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeBackupPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeRestorePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeShutdownPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeDebugPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeAuditPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSystemEnvironmentPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeChangeNotifyPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeRemoteShutdownPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeUndockPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeSyncAgentPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeEnableDelegationPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeManageVolumePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeImpersonatePrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreateGlobalPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeCreateTokenPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeAssignPrimaryTokenPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
Token: SeLockMemoryPrivilege	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

956 msiexec.exe
956 msiexec.exe

pid	process
956	msiexec.exe
956	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

msiexec.exe716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe

description	pid	process	target process
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1072	456	msiexec.exe	MsiExec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 1396 wrote to memory of 956	1396	716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe	msiexec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1940	456	msiexec.exe	MsiExec.exe
PID 456 wrote to memory of 1988	456	msiexec.exe	plcd-player.exe
PID 456 wrote to memory of 1988	456	msiexec.exe	plcd-player.exe
PID 456 wrote to memory of 1988	456	msiexec.exe	plcd-player.exe
PID 456 wrote to memory of 1988	456	msiexec.exe	plcd-player.exe

C:\Users\Admin\AppData\Local\Temp\716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe
"C:\Users\Admin\AppData\Local\Temp\716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1642354232 " AI_EUIMSI=""
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1CA015DDFC20D953F37DB6D076A7B246 C
2⤵
- Loads dropped DLL
PID:1072

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9652FC24DB0FC022818D87439D7E3CB2
2⤵
- Loads dropped DLL
PID:1940

C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
"C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
7bdb33ae0cfe12530ae0cec47d8f0c29

SHA1
5a294c1d79af8095b9a7dfe4119ca811042f4c86

SHA256
6df73eb7dcde877677b34149dbaf19f8c6d4e1a371bae2935d7b1fe207f1bc6c

SHA512
60babadd5e8181eb87d4b51e59192789fb456beb4433396f3fa3c31e70ab7d54b18b5376624783215b747e22dfbab75eb05321b43e32bc50f777323068fbf1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
80e4236bbae625099891ecccb944adbf

SHA1
ebf7f89d6158740120d1ad2dca14288ecddac8e1

SHA256
baa6d60c13d37803262be13ab7694975d8c71d844097b3b8ab6f5facde1113b5

SHA512
e5225a44757280ffd6a98ca3d8d38ab875f8cf40b515c6f8dba1eec9e9c40a4f982495356f650c467100878aae1727d60525f571c1c61e9c170c67d371873894

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI139B.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDD0.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll
MD5
5aeb79663ea837f8a7a98dc04674b37a

SHA1
536c24ef0572354e922a8c4a09cf5350d8a6164d

SHA256
e13d9f958783595acd8acdbff4d587bca7e7b6a3aab796e2efbd65bd37431536

SHA512
25e4e48ec2162ea6342cfd823e789ed0b5a995bb61fa3fa68364d1ee2468974fa4e75c17eb2cb3ddb213e633136c9aab139bbf32fb8688ff5b1abf444e8bb652

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt
MD5
734b7cb601ea82d8b4a9926373323b06

SHA1
37490788b803335fa3aad761b3ea0010889b2d8d

SHA256
90f301e30b61cdf8ac5e29f4fdd0e81c535fcaabf06b48d36b110a3f35e5a3d2

SHA512
273f154273dedf9b06bba74aeb81bf905309b6f137a414310b1e96c218095cc6b49ee663932815d6771c9be1d033b014f57e7ae72c7b7fd396a9c254fa124706

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll
MD5
40c4ea80985e48c095d9f3af80215c12

SHA1
b7eaecb4cf5e45f7e3946bcd1c249a46428ca8c0

SHA256
2b1678502f69bccba816fe2901a12bd15567c4113d8ec5b0c9eba3a1aea7c633

SHA512
8c1fcfaceba8273d4307fdc2af0e8d137cf162838ed0c9ac198d0a29ec0e4e6b8a6b8c202bc415b2353889b4429ed9b07d784f367b2b339f65090242c78d64aa

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll
MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt
MD5
54a36434ca791404e0ee1894a7fb257a

SHA1
e99ba6366c22f9e4693f6317352eaa5854f0f429

SHA256
5fcc77ba8a6d6dca5ecd466f7706133a17571eaaa1b45d4613e2bf5c58dec678

SHA512
87942abbe3bc1c87bb77323d4e43d63a30ace3b569ff16363d871b77a306a64569a8655b0b3a526b31f901ba5f081bfe122b7df7f0c491637dd3050ec948d071

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll
MD5
fec0a2ab4ab150dad477e0d4885637ce

SHA1
5a3c8920de1b3f2f7867a20d05c94de5b2779b81

SHA256
746760fe317b9721fb761209f0f9f7e1a5126390970aac5fd93f11504ffe3d30

SHA512
11c7c941d31902ccc9f9e07166cf6e181e0adf7baea0986b863cefd71591431c0d630018b5514c66d6670bfad1f8acd363ac19bed486fb92b06de83a4669c7a0

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll
MD5
edceb39d12707299f6501ae9472a2fd1

SHA1
f4be70378af9fea7355307cf66e0f5a50590e974

SHA256
fa2c262a94f90dad052a6a5d190f347cd1b8d8bacd7417b8b3fff56f7d42ecb4

SHA512
08406bede6c980a1c36ec427c1d86f05f11a41ec366f3821d7b229649b10f3af9d37afe7a5a55c7d32d90f0b7d0a43848af3b20dea2d2d3669130aaa08729bd2

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll
MD5
85f6f590b5c4b8c7253e9c403c9be607

SHA1
d5a9db942a50c8821bacd7f6030202c57ec4708b

SHA256
d20552fd5c8c8c9759608a84db1e216da738f5e9f46de9e8a3f39a0d6265cb8b

SHA512
9c78cb444e28618d44e9deb23571fc7bbce268882c2803e0ccc0e84b3e6eab89c6af2aac0d81ef0d2c9fd1e9611cb35334ef3304fb16c5ba0481f6a7273c3660

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem4.js
MD5
e001fba3f73adb83b5b9dcd2a32f1c7b

SHA1
d0b3a5615f30226072ba90a961dbad1ce0ed23e2

SHA256
60a987cfe5ae817d5d5ed82e1f39c3c537321ee9ab9a0b902db2990f66b99887

SHA512
6df77e4ac29b0af120c2ee9380bacd4d1e02c08e9f6e7cd293959f7438294182b773b3c75e0ded111c3eefd511b09fdf2f43927d68884572f745464705ee81a9

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.js
MD5
866b6e8a186be6005a140cfe9f578cd8

SHA1
e0b2e5344097ef4c1c0a8be851c5de27c7f490db

SHA256
0a5731729919fedc1a3b81c651087ab200c9470fa75a89bebea73ae0478f30e5

SHA512
be84b6a9b893dc0d66113287942a388bafb0629ae67e6c02a8e09e98a028d50ccfa082a2c1b5bfafa273acf9e6338e961fa208b62ef6bee43d8bfd5e6d4619a9

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.json
MD5
d5be63a1e66e4d6597f49bfd15eb3d83

SHA1
6b0d0e3101edb0c92c14691745765de49cdb7c01

SHA256
a1cf701c876f916aacb12a3b952d1d2a38889c2ac118af9d89493f0a86a45c5d

SHA512
6f8cd8f4d18d978f9b30e00322e3cc020b1c3add6b6307ed96ebb47b422dd15dde4bb82698ae755cef57f8ba3b1bdbd6f47d83cf08471e7b131b8cf8b20aca55

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\ecb-eurofxref-daily.xml
MD5
376f44c2269588374f0f7e876bb3cffa

SHA1
1241ac750f7ca447d7a74eb516838c39516aa841

SHA256
3b96e197b1a47e7a391385638e13a0cf42e04e1665470a89eabecc67d1b91323

SHA512
744c894429453b5e40241fea6a2ebd354bf2b06c5ad9b4439be1ccacd15b89c487a1fe100851f23e7a2212ccac600fc8519224855d7ac72f09e6aabd1e8ac6c9

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi
MD5
9afc8137b547561655d454aff862e567

SHA1
2dab8b1b9f1ae612e9cd359207751b452c76cb0d

SHA256
86747f0567adbdd895e23e25760af726a87000bd01ebef994352efad7eb3987c

SHA512
91b99b561fbd3c6f3c2583cbf13d9faf31aafe6efdb82667f646ad9f245904d3ef8f37b4cd11e141ecbebdb7724414e21c4a8f7886ce68ffac7b0bb8b1b5383b

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\help.chm
MD5
df113262cbb4ad90d0d889620bdefb06

SHA1
d94d2111f9fd566941ff96dba6237d126591e512

SHA256
195bafb549728e15b392b5a2fcbd41003d2472b1ad82aed449175c37e5834657

SHA512
b3ddfcceffde24791dfb9587d5aebc406b9ec3408b38d50c70ac324931c37fd7f55099c7f84b8359a76aca1bb0e350977451639cc0e61241ebe16d6f4db90976

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll
MD5
249d164d4361f1bbf827331a2c5b8e64

SHA1
225ae2d2e277b817962d3a65666706bdf7ae6067

SHA256
492adeb85d95834a97fc2c1bd61347202111a3773ce4de35fc1597c52be7aab3

SHA512
16b656e17a305503a01c7429ec44dc9ded0dec39f50844f5caff2484af3f3551f11b620c63111361a5d333aa16a7db0a2dc7ff5c895aa6c9252f21ca42223a17

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll
MD5
b6723b31f67956e747493bc64f2c7a59

SHA1
72389ecf849bfda364e84258e5857a3df07e5bfc

SHA256
3361ac8727aba86ac7f3aac3a214c3cb76f1af9ff7ee5e94c52c30fdcb7d5064

SHA512
e17fea164bb00e65be0e58771a728fc9ced5bd65ae2fec9e55c5697e69a498404b6d52b529df774012c9f1268d29d97ad3cafd404bad58b3c36535a52ab6e09b

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll
MD5
7cc7637ab23a01396206e82ef45cda0e

SHA1
209cc6ce91e24383213f1c2456d43e48bd09b8c4

SHA256
e6c6568a2cd61e401db4e4f317f139852502eebb9fe1fbb9c92d7ecfa6524f7f

SHA512
e13c48d6cb7b2983221f00c3fdc5da4221d6b0383f68d74bcac2aaf95cc7ae702e65da517aad51ad7dad0b672f8436532f4612e7f0853ae0ca924635f3983f6d

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml
MD5
ef946663d3a336bdacb512bf32c8f8f2

SHA1
1a02b2dee5cd8815ba977a09505f0b38fea27665

SHA256
0b77203265adcb18a878383978bce5c8d6a1d253fe1efc16b8b161b42f03b79f

SHA512
b5e45c3f22f31fd1538c982c83f75da1015ff56235b26ea1707dca6b1bc1e41fb11557593ced91d5bf927b985511dba4047c898a1fe9eb7903932fdbf6c85829

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe
MD5
25ddbd309bb8094229704383977c7268

SHA1
1574d860469ee784034093199dc9533543e5c096

SHA256
8c7e6a620f4bbc343c2695c2e034cc628062b5c2a6b05461fc41b05436f45147

SHA512
16cf4205b16f83a3efec96660190efe254919ea18fbc6eb23f45d5c77b0a4a7efd5dfa36ec1fc43bd79d1d4959a2fa9e172ab842ce7de754cdc62912752892ba

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll
MD5
f0aed1a32121a577594ecd66980c3ed3

SHA1
288954a8d6f48639b7605488d2796b14291507e5

SHA256
d02cc01a7d9adc1e6f980d1a56d6a641df9e2a63fdc5f007264d1bf59ecc1446

SHA512
056670f3074af5a03326c2be5ffa0fec23010ddc25bbed07b295ea3f6c7f8dfbc73e40e11e20103efeb3b230096f630fb0a3cfa61c4e0a74c15a1cb6319d85d9

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll
MD5
b6723b31f67956e747493bc64f2c7a59

SHA1
72389ecf849bfda364e84258e5857a3df07e5bfc

SHA256
3361ac8727aba86ac7f3aac3a214c3cb76f1af9ff7ee5e94c52c30fdcb7d5064

SHA512
e17fea164bb00e65be0e58771a728fc9ced5bd65ae2fec9e55c5697e69a498404b6d52b529df774012c9f1268d29d97ad3cafd404bad58b3c36535a52ab6e09b

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml
MD5
ef946663d3a336bdacb512bf32c8f8f2

SHA1
1a02b2dee5cd8815ba977a09505f0b38fea27665

SHA256
0b77203265adcb18a878383978bce5c8d6a1d253fe1efc16b8b161b42f03b79f

SHA512
b5e45c3f22f31fd1538c982c83f75da1015ff56235b26ea1707dca6b1bc1e41fb11557593ced91d5bf927b985511dba4047c898a1fe9eb7903932fdbf6c85829

Download Submit
C:\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
MD5
25ddbd309bb8094229704383977c7268

SHA1
1574d860469ee784034093199dc9533543e5c096

SHA256
8c7e6a620f4bbc343c2695c2e034cc628062b5c2a6b05461fc41b05436f45147

SHA512
16cf4205b16f83a3efec96660190efe254919ea18fbc6eb23f45d5c77b0a4a7efd5dfa36ec1fc43bd79d1d4959a2fa9e172ab842ce7de754cdc62912752892ba

Download Submit
C:\Windows\Installer\MSI1E3E.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSI1F1A.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSI1F98.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
C:\Windows\Installer\MSI2035.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Windows\Installer\MSI217D.tmp
MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI139B.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDD0.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll
MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll
MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll
MD5
454418ebd68a4e905dc2b9b2e5e1b28c

SHA1
a54cb6a80d9b95451e2224b6d95de809c12c9957

SHA256
73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

SHA512
171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

Download Submit
\Users\Admin\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll
MD5
b6723b31f67956e747493bc64f2c7a59

SHA1
72389ecf849bfda364e84258e5857a3df07e5bfc

SHA256
3361ac8727aba86ac7f3aac3a214c3cb76f1af9ff7ee5e94c52c30fdcb7d5064

SHA512
e17fea164bb00e65be0e58771a728fc9ced5bd65ae2fec9e55c5697e69a498404b6d52b529df774012c9f1268d29d97ad3cafd404bad58b3c36535a52ab6e09b

Download Submit
\Windows\Installer\MSI1E3E.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Windows\Installer\MSI1F1A.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Windows\Installer\MSI1F98.tmp
MD5
0be6e02d01013e6140e38571a4da2545

SHA1
9149608d60ca5941010e33e01d4fdc7b6c791bea

SHA256
3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

SHA512
f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

Download Submit
\Windows\Installer\MSI2035.tmp
MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
\Windows\Installer\MSI217D.tmp
MD5
2a6c81882b2db41f634b48416c8c8450

SHA1
f36f3a30a43d4b6ee4be4ea3760587056428cac6

SHA256
245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

SHA512
e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

Download Submit
memory/456-57-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

Filesize
8KB

Download
memory/1396-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1988-103-0x00000000013D0000-0x000000000176B000-memory.dmp

Filesize
3.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads