Analysis Overview
SHA256
b64d7367d098c192a762a38a973575d4664c1d702058a864534c581b2110a6cd
Threat Level: Shows suspicious behavior
The file b64d7367d098c192a762a38a973575d4664c1d702058a864534c581b2110a6cd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Reads runtime system information
Writes file to tmp directory
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 12:31
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:31
Platform
debian9-mipsbe-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:31
Platform
debian9-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool.jar
Network
Files
memory/2860-2-0x0000000002770000-0x00000000029E0000-memory.dmp
memory/2860-10-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2860-11-0x0000000002770000-0x00000000029E0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 1904 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 1224 wrote to memory of 1904 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\dns.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/1224-2-0x0000016BA47A0000-0x0000016BA4A10000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | a0b819b2dec9d443c116be7edfa79dbb |
| SHA1 | 249331803de3961a9ab845bdac014fd2e5d7933f |
| SHA256 | d6e1f20e5a836b081d750cfb0540bb137c9e99680216afab2b8d1699e11a416a |
| SHA512 | dac344d390cabe20c996159e5ec507c5cf3338cfbdee76279083d28344cce1e34b03117d3e3a58be6291b9d6cb167f39bef6ce4226bbd7812ac39a9bc5d06d25 |
memory/1224-12-0x0000016BA2D70000-0x0000016BA2D71000-memory.dmp
memory/1224-13-0x0000016BA47A0000-0x0000016BA4A10000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
132s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1704 wrote to memory of 2308 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 1704 wrote to memory of 2308 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\hideme.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3924,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/1704-2-0x000001D480000000-0x000001D480270000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 6949ebf6daafd767395fbe0db55cf4fa |
| SHA1 | d8f2f1542d31463974151c23e2e00ca9637051fb |
| SHA256 | ae4d3c3546535bdd215ee2bc17918f5e14567d1b7047ce06ae683f571a3d1080 |
| SHA512 | e9eb75cf6cc813d75607858ce2d7da79eb5524de9270f1e8c639ba0864dc95fd3503829aaf147d7ce111859dbbbc09cb102ba6dcdaff4df18c081ce9a0622ccf |
memory/1704-11-0x000001D4EFD90000-0x000001D4EFD91000-memory.dmp
memory/1704-13-0x000001D480000000-0x000001D480270000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240419-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap.jar
Network
Files
memory/2392-2-0x00000000025B0000-0x0000000002820000-memory.dmp
memory/2392-10-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2392-11-0x00000000025B0000-0x0000000002820000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 3556 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 5036 wrote to memory of 3556 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/5036-2-0x0000023DAB250000-0x0000023DAB4C0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | c68a7a38a13419bc19a05e545bd3ce1f |
| SHA1 | 6996923852cb025b246beac7381dd2a2e0341b5a |
| SHA256 | 795cf88f00806d2ffa38ccb7eeb6c295f7e834006d82045a7ce591f11b5052b6 |
| SHA512 | 9dc4c142f12451d5104dae05ebf188d918af70ee4870feaff42db7a5cbe212377eb5765c6ef24c94698315836e0727ff28469631ec60a904c41dcc6169351571 |
memory/5036-12-0x0000023DA9BF0000-0x0000023DA9BF1000-memory.dmp
memory/5036-13-0x0000023DAB250000-0x0000023DAB4C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:34
Platform
debian9-armhf-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
161s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 948 wrote to memory of 3812 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 948 wrote to memory of 3812 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\url.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/948-2-0x0000024170C60000-0x0000024170ED0000-memory.dmp
memory/948-11-0x000002416F3D0000-0x000002416F3D1000-memory.dmp
memory/948-12-0x0000024170C60000-0x0000024170ED0000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
105s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3100 wrote to memory of 2676 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 3100 wrote to memory of 2676 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-idea.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3100-2-0x00000288BBC50000-0x00000288BBEC0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | d08c99f9f56a9d48e9929f7f9a0b4525 |
| SHA1 | f869a32e77df4743125533f4f1cd29bfaf7ba11f |
| SHA256 | be09b571af9d0f085787ba6081f33345ceae220f550142610b5dbd9cdf6d997f |
| SHA512 | cd6812a2841deeb3c7c60249aaba29dd9ea62e496cea85011e73e11a9f10c59943927f1beefb326176e1c394fd2cfa5c185275dc6d244dc5b8e37d9454c718dc |
memory/3100-13-0x00000288BBC30000-0x00000288BBC31000-memory.dmp
memory/3100-14-0x00000288BBC50000-0x00000288BBEC0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2868 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 3008 wrote to memory of 2868 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\power.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/3008-2-0x000002314BF60000-0x000002314C1D0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 43c00811208303f0b7dab1286a104eb1 |
| SHA1 | fd829bd8df3e25b820d0e92db77d3564a44ef599 |
| SHA256 | 5ce17670319e75fb083cb9edae3a854812f708a84a540819217238be13a73f48 |
| SHA512 | 3adea1a4614c78c4c09c6b1d2dbd7906fa91c8b81fd7a85d6bb31211e5445ad9e8d544a7dd5c4e673855c13ff237e6882536f60f2278f67d38e324ef61897d89 |
memory/3008-12-0x000002314A690000-0x000002314A691000-memory.dmp
memory/3008-13-0x000002314BF60000-0x000002314C1D0000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1664 wrote to memory of 376 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 1664 wrote to memory of 376 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2017.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
memory/1664-2-0x000001C7D34B0000-0x000001C7D3720000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 84d9daa92f8846828e3317e8c0e559e5 |
| SHA1 | a0f727030db080255d9d3cb0ff2a2ace99301b1b |
| SHA256 | 1f34dae99df252f98d87d744ac79b881c20950029a966f4ef40d7daced535183 |
| SHA512 | dbf57d8c2e069dde688bcbe3518d784530f0bc319f66832df4bb49183d126627a972cf9a3aab2f567378c82155a6b84d832fc102e39170c9218e719514c57cf6 |
memory/1664-13-0x000001C7D1CE0000-0x000001C7D1CE1000-memory.dmp
memory/1664-14-0x000001C7D34B0000-0x000001C7D3720000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240508-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap-v1.0.1.jar
Network
Files
memory/2076-2-0x0000000002710000-0x0000000002980000-memory.dmp
memory/2076-10-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2076-11-0x0000000002710000-0x0000000002980000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240508-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-phpstorm.jar
Network
Files
memory/1728-2-0x0000000002530000-0x00000000027A0000-memory.dmp
memory/1728-11-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1728-12-0x0000000002530000-0x00000000027A0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\power.jar
Network
Files
memory/2408-2-0x0000000002400000-0x0000000002670000-memory.dmp
memory/2408-10-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2408-11-0x0000000002400000-0x0000000002670000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
130s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2022.2/sed5oBQwT | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2017.3/config/sedDrZmWd | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/Rider2019.3/config/sedOLD8IQ | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2020.2/sedrMDXbU | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/PhpStorm2021.3/sedzbGGup | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2018.1/config/sedMecfjR | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/yz/active-agt-goland.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2020.3/sedvBZXc4 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2021.1/sedpwEjLV | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/IntelliJIdea2018.3/config/sedkYb7bC | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2019.3/config/sed72gAJF | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2017.2/config/sedGFX6jE | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2020.2/sedH1Di1G | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2017.1/config/sed4zkuc0 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2019.1/config/sedP5JQDz | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/IntelliJIdea2017.3/config/sedXd4ZxT | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.3/sedVFwqLS | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/PyCharm2020.2/sedhib1Qf | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/micool/plugins/mymap.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/IntelliJIdea2020.1/sed3DdZZr | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Rider2021.1/sedVGUz4v | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2018.3/config/sedatHac0 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/DataSpell2017.3/config/sedXjXDgA | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2019.2/config/sedblKB8Z | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/RubyMine2019.2/config/sed8f61ks | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/yz/plugins/power.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2021.2/sedh3cUgc | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2021.3/sedfdh783 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/DataGrip2018.3/config/sedRu0Wl9 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/WebStorm2019.3/config/seduCt9Id | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/RubyMine2022.2/sedfhmThV | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/yz/active-agt-rider.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/micool.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2022.3/sednynM5E | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.2/sedpWP1wj | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/IntelliJIdea2021.3/sed7J7Gci | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/PhpStorm2022.3/sed7NiPi7 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/micool/config/url.conf | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2017.2/config/sedba82Bz | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2018.3/config/sedJoPNhR | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/PyCharm2017.1/config/sedtypXH4 | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/RubyMine2018.3/config/sed8O1XTi | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Clion2022.1/sedNAfotq | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Rider2020.1/sedJ2h89N | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/WebStorm2021.3/sedncuNJU | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2020.1/sedBYZFYk | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2017.3/config/sedN0I0Rh | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/yz/fuzzes/active-agt-rider.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/GoLand2018.2/config/sedeOUNPS | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/micool/config/dns.conf | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/micool/plugins/dns.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/~/yz/active-agt-pycharm.jar | /bin/cp | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2022.3/sedpNOiDs | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2021.3/sedvlyH4a | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/CLion2018.2/config/sed9esDKq | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/DataGrip2017.3/config/sedIdDKVq | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2020.2/sed7K6gbv | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/RubyMine2017.2/config/sedsFqu6Z | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.1/sed9ZtMiK | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/Rider2019.2/config/sedfcLH2g | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2022.1/sedJlazqk | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2022.1/sedlnpLlD | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2022.1/sedVxT0Lw | /bin/sed | N/A |
| File opened for modification | /tmp/macjihuo-2022/micool_macconfig/JetBrainsold/Rider2018.3/config/sedDbikG7 | /bin/sed | N/A |
Processes
/tmp/macjihuo-2022/mac.sh
[/tmp/macjihuo-2022/mac.sh]
/bin/sed
[sed -i s/bianliang1//g micool_macconfig/JetBrains/AppCode2020.1/appcode.vmoptions micool_macconfig/JetBrains/AppCode2020.2/appcode.vmoptions micool_macconfig/JetBrains/AppCode2020.3/appcode.vmoptions micool_macconfig/JetBrains/AppCode2021.1/appcode.vmoptions micool_macconfig/JetBrains/AppCode2021.2/appcode.vmoptions micool_macconfig/JetBrains/AppCode2021.3/appcode.vmoptions micool_macconfig/JetBrains/AppCode2022.1/appcode.vmoptions micool_macconfig/JetBrains/AppCode2022.2/appcode.vmoptions micool_macconfig/JetBrains/AppCode2022.3/appcode.vmoptions micool_macconfig/JetBrains/Clion2020.1/clion.vmoptions micool_macconfig/JetBrains/Clion2020.2/clion.vmoptions micool_macconfig/JetBrains/Clion2020.3/clion.vmoptions micool_macconfig/JetBrains/Clion2021.1/clion.vmoptions micool_macconfig/JetBrains/Clion2021.2/clion.vmoptions micool_macconfig/JetBrains/Clion2021.3/clion.vmoptions micool_macconfig/JetBrains/Clion2022.1/clion.vmoptions micool_macconfig/JetBrains/Clion2022.2/clion.vmoptions micool_macconfig/JetBrains/Clion2022.3/clion.vmoptions micool_macconfig/JetBrains/DataSpell2020.1/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2020.2/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2020.3/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2021.1/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2021.2/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2021.3/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2022.1/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2022.2/dataspell.vmoptions micool_macconfig/JetBrains/DataSpell2022.3/dataspell.vmoptions micool_macconfig/JetBrains/Datagrip2020.1/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2020.2/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2020.3/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2021.1/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2021.2/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2021.3/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2022.1/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2022.2/datagrip.vmoptions micool_macconfig/JetBrains/Datagrip2022.3/datagrip.vmoptions micool_macconfig/JetBrains/Goland2020.1/goland.vmoptions micool_macconfig/JetBrains/Goland2020.2/goland.vmoptions micool_macconfig/JetBrains/Goland2020.3/goland.vmoptions micool_macconfig/JetBrains/Goland2021.1/goland.vmoptions micool_macconfig/JetBrains/Goland2021.2/goland.vmoptions micool_macconfig/JetBrains/Goland2021.3/goland.vmoptions micool_macconfig/JetBrains/Goland2022.1/goland.vmoptions micool_macconfig/JetBrains/Goland2022.2/goland.vmoptions micool_macconfig/JetBrains/Goland2022.3/goland.vmoptions micool_macconfig/JetBrains/IntelliJIdea2020.1/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2020.2/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2020.3/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2021.1/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2021.2/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2021.3/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2022.1/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2022.2/idea.vmoptions micool_macconfig/JetBrains/IntelliJIdea2022.3/idea.vmoptions micool_macconfig/JetBrains/PhpStorm2020.1/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2020.2/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2020.3/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2021.1/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2021.2/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2021.3/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2022.1/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2022.2/phpstorm.vmoptions micool_macconfig/JetBrains/PhpStorm2022.3/phpstorm.vmoptions micool_macconfig/JetBrains/PyCharm2020.1/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2020.2/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2020.3/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2021.1/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2021.2/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2021.3/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2022.1/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2022.2/pycharm.vmoptions micool_macconfig/JetBrains/PyCharm2022.3/pycharm.vmoptions micool_macconfig/JetBrains/Rider2020.1/rider.vmoptions micool_macconfig/JetBrains/Rider2020.2/rider.vmoptions micool_macconfig/JetBrains/Rider2020.3/rider.vmoptions micool_macconfig/JetBrains/Rider2021.1/rider.vmoptions micool_macconfig/JetBrains/Rider2021.2/rider.vmoptions micool_macconfig/JetBrains/Rider2021.3/rider.vmoptions micool_macconfig/JetBrains/Rider2022.1/rider.vmoptions micool_macconfig/JetBrains/Rider2022.2/rider.vmoptions micool_macconfig/JetBrains/Rider2022.3/rider.vmoptions micool_macconfig/JetBrains/RubyMine2020.1/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2020.2/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2020.3/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2021.1/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2021.2/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2021.3/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2022.1/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2022.2/rubymine.vmoptions micool_macconfig/JetBrains/RubyMine2022.3/rubymine.vmoptions micool_macconfig/JetBrains/WebStorm2020.1/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2020.2/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2020.3/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2021.1/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2021.2/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2021.3/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2022.1/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2022.2/webstorm.vmoptions micool_macconfig/JetBrains/WebStorm2022.3/webstorm.vmoptions]
/bin/sed
[sed -i s/bianliang1//g micool_macconfig/JetBrainsold/AppCode2017.1/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2017.2/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2017.3/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2018.1/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2018.2/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2018.3/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2019.1/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2019.2/config/appcode.vmoptions micool_macconfig/JetBrainsold/AppCode2019.3/config/appcode.vmoptions micool_macconfig/JetBrainsold/CLion2017.1/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2017.2/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2017.3/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2018.1/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2018.2/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2018.3/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2019.1/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2019.2/config/clion.vmoptions micool_macconfig/JetBrainsold/CLion2019.3/config/clion.vmoptions micool_macconfig/JetBrainsold/DataGrip2017.1/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2017.2/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2017.3/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2018.1/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2018.2/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2018.3/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2019.1/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2019.2/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataGrip2019.3/config/datagrip.vmoptions micool_macconfig/JetBrainsold/DataSpell2017.1/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2017.2/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2017.3/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2018.1/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2018.2/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2018.3/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2019.1/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2019.2/config/dataspell.vmoptions micool_macconfig/JetBrainsold/DataSpell2019.3/config/dataspell.vmoptions micool_macconfig/JetBrainsold/GoLand2017.1/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2017.2/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2017.3/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2018.1/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2018.2/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2018.3/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2019.1/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2019.2/config/goland.vmoptions micool_macconfig/JetBrainsold/GoLand2019.3/config/goland.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2017.1/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2017.2/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2017.3/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2018.1/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2018.2/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2018.3/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2019.1/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2019.2/config/idea.vmoptions micool_macconfig/JetBrainsold/IntelliJIdea2019.3/config/idea.vmoptions micool_macconfig/JetBrainsold/PhpStorm2017.1/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2017.2/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2017.3/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2018.1/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2018.2/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2018.3/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2019.1/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2019.2/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PhpStorm2019.3/config/phpstorm.vmoptions micool_macconfig/JetBrainsold/PyCharm2017.1/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2017.2/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2017.3/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2018.1/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2018.2/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2018.3/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2019.1/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2019.2/config/pycharm.vmoptions micool_macconfig/JetBrainsold/PyCharm2019.3/config/pycharm.vmoptions micool_macconfig/JetBrainsold/Rider2017.1/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2017.2/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2017.3/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2018.1/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2018.2/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2018.3/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2019.1/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2019.2/config/rider.vmoptions micool_macconfig/JetBrainsold/Rider2019.3/config/rider.vmoptions micool_macconfig/JetBrainsold/RubyMine2017.1/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2017.2/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2017.3/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2018.1/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2018.2/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2018.3/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2019.1/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2019.2/config/rubymine.vmoptions micool_macconfig/JetBrainsold/RubyMine2019.3/config/rubymine.vmoptions micool_macconfig/JetBrainsold/WebStorm2017.1/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2017.2/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2017.3/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2018.1/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2018.2/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2018.3/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2019.1/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2019.2/config/webstorm.vmoptions micool_macconfig/JetBrainsold/WebStorm2019.3/config/webstorm.vmoptions]
/bin/cp
[cp -fR micool_macconfig/configfile ~/]
/bin/cp
[cp -fR micool_macconfig/JetBrains ~/Library/Application Support/]
/bin/cp
[cp -fR micool_macconfig/JetBrainsold ~/Library/Preferences/]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 89.187.167.7:443 | tcp |
Files
/tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2020.1/sedfRNL9V
| MD5 | 648fb484f539b1da057250ecb01a0c4a |
| SHA1 | 6991ad396b31946a88811f20662988e1125cc70d |
| SHA256 | bee8c1dfefa2470f1b51c48fb19ec3fa7b4fa9d14d9e41c03d0e0730ae6ce580 |
| SHA512 | f0cd1a1dc4ad43dfdef6f86d4b2748e0bfe1232613d324f822458acfedcf1246ac47c5533f082bfddda8e2ffed4dde2f94c4400bece42b315837a48c22abeb22 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/AppCode2021.3/sedTjpylL
| MD5 | 4592ada02bc8d19ca23eece71d471905 |
| SHA1 | 2a7a37ddd3b4231a5e7848c6f8f336bc54dfeb4a |
| SHA256 | be9a4e426ae394b258615c25d697f693955a0e835e98e93c5090507a568faeea |
| SHA512 | f6b0eabd0829a6d62b53331100fe3392c5303c0bbdbc11b953585f84f92ae368974138ef759ac21d60d02fa50c7c469ee99e79122cad38d013c6264d0b65024f |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/Clion2022.1/sedNAfotq
| MD5 | f2ce790a536ea15ae3798b86d457f049 |
| SHA1 | 298c98026949043e7927f76a43b374b6bf988260 |
| SHA256 | 58e089385510c36b905622ad88257a395109fb85e652d6ae46cd68462c94190b |
| SHA512 | a6ec4b2af52b9610ed9ad63155d488c1d10f64dd1d1571887f3225c5b9b0dab4b469ac739d06c6f5f1d93dfec0c4d96121f0637005d525423111ad4a5d01bed2 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/Clion2022.2/sed5nuDBZ
| MD5 | 94183880a0a377844ca8659f8c327a52 |
| SHA1 | f73fc6399688a00e16808d728476cfd64831a13d |
| SHA256 | d49b28503dcfb2e26d63b58ddccfa2f8f53608de5733b735c09e771f5036d2c1 |
| SHA512 | 29592cea999324a69260d421a647f0c101f2c0f77440e254426052612ea7c4bc3f48e8337eb44908d0402b5371beda424913a01dc06941a5c03ed80ff1547517 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/DataSpell2022.1/sedVxT0Lw
| MD5 | 8713a72de33535bbc4a3ccf245b0a459 |
| SHA1 | 552f08a2aa6881865de2876dbeba70076618b253 |
| SHA256 | e253568d4a6431812791388c6d22233e25e3244954b1f4b963aea6ccf2e54c82 |
| SHA512 | a009ec9016f324830fb1d5a06ba6c2dc34fed29dab63196bcea20f1d1090ba14f7c36479a49aaeab65983942b7868f69d75e8e6a99f85fdae1b425f0f71c0bd7 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/Datagrip2022.1/sedlnpLlD
| MD5 | 5968a8371c3e299e2a76fd2588ccc543 |
| SHA1 | dcd2d9c89296c576afb4d9f422f70da1045b651d |
| SHA256 | 7d867e416fb6a3463f1ae6a252663a4354607c1a651ce8679e12d2760a3063a7 |
| SHA512 | 2d3b9e5803ca1b5d055ff3ca9ce9dcbe08512902e6388ea80a7a65627b8ebb7c5dc3bbe1baf896aa3b3a4340ba1c6b96d8168fe5c274556d31af3dfbea0cd2f3 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/Goland2022.1/sed9ZtMiK
| MD5 | 09f88529816feb54a08550a66b1574f1 |
| SHA1 | 7e511a46e059d45a8592e52f7037d44c6ee396a8 |
| SHA256 | 8969161585abd68bcbb427d8901236282cc607c0f782439b5733e90e3f7d599e |
| SHA512 | 57627b2c92350597bd79b73038b811d7f39f41f0ded5d85c0e1a5f108951984a338863a834368ca38f1d7718a5692e84d639d9503fa71f647704c23853e5f083 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/IntelliJIdea2022.1/sedBj4WrR
| MD5 | 25201b35b81a2020e6f062cc4acc7fb4 |
| SHA1 | ec3e6efa92bb543c48bb3d159e9ee6f19a5d0bb4 |
| SHA256 | 22af227aaf188e46f32f67f18604e08357612e6e6963a31dc8cdb1016e6b72fd |
| SHA512 | e1c91fc2e767aa120f503dfa56a1b948eb48f292569360ba5146380e16bf518cbcd0368adb2e7bfe310f29aacf1b594f03dcf8a6954f2fff8531dfe0fb94d884 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/PhpStorm2022.1/sedJKAeLY
| MD5 | 132ed2b20fa73e5c4ba3ea467e319c3a |
| SHA1 | 76e8d2cda6957a0cb5e44af6095af3a961810a20 |
| SHA256 | 5c6a4b82d3ebbdd4d925cd0ee23f007271017257d511bf253ab8239ca6d82e4c |
| SHA512 | a49fee056dbb137b8b525741c8832276631761d04483a09f0205a63fd9073fc1dfa647d9bd9d0179f25ea7dc8b54d69849ab623cba14a6a71beb53bbe251fef9 |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/PyCharm2022.1/sedtsZeh6
| MD5 | d4bb80b138ad6706a055befba06303c6 |
| SHA1 | 77e968f0f760b6c2029d7309cf77ef81ac1c4eef |
| SHA256 | 15a1fa998df77ba6972b4acaf391d664baec416f90e1a199046aaa57451b47f9 |
| SHA512 | e9d5edd28ae20a2154404bf75c7ed22a7c013243eb5552f1018e2370d565fc92f870b1e9c0ed5be8cfee24a1b18c7555d18d587d8657fa4cd8176bd74412d1dc |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/Rider2022.1/sedFTms0d
| MD5 | 2da0fca0fe800904b8f9a506f0051453 |
| SHA1 | a4b6116b04fee9d5907d88f00d7156dc7f5fe65e |
| SHA256 | 388b8b9b40c466e05cf6c20dc18567a47f2fb938867c08cb77f6c855b67d0298 |
| SHA512 | d9024478739693557bf04bd18b7bf41a1ef970e143074ed46fcb5c0b2a931abab9ce70b51c70d77b3240fd673cb22c4ce426edba763afac8d69420d2f4ae7b6b |
/tmp/macjihuo-2022/micool_macconfig/JetBrains/WebStorm2022.1/sedvnb75t
| MD5 | 3a496a292d9ad388bd4ec8e4edadce7c |
| SHA1 | 9ef96d1ba490bb0d6d9014e512863306e5763867 |
| SHA256 | 5d707c9b179e62951960556b6c979d69db1fa85ddda056644531a1005fc9dbf2 |
| SHA512 | 0983bfe13da9410c2dd2d34c80cc811b55ccab68a18717677038f6cda48add9c94893fb0ca79dbf788ab5201bb8e1fd700e8e59534d5f66162cb7ebf2ad304bb |
/tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2017.1/config/sed4zkuc0
| MD5 | cf4e01880e2fa3a44c45f24139aeef9f |
| SHA1 | c99c018c4f1acc0f4ebacac239a2d4821706753a |
| SHA256 | 250224c2a7eba8e8fd52c5fe558efe43dab02dc1c5565db280072ac3bdea9507 |
| SHA512 | b0d92221bf96dea58b7c4a887b9b3950b172e58610ef3b586bbfd7a3c79b5653bb1e432877ebdaee737527026cd6f68f402eb886a363cbe8f70e73a47f28ccd9 |
/tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2018.1/config/sedHrmCrI
| MD5 | 40cc0b7c92848e7d043e58b8ee055733 |
| SHA1 | a6dfe95fbf9d80626463ea1ed3f2679e279a6e98 |
| SHA256 | c539b8f772e27315b5df857ba82b2598f2465715516e88d98740cddafaff0d2a |
| SHA512 | af2fd2e51a53a3a84e2b92c402487029902848675155c763b088409fb279b773ec9f48d1dc8aeaf4aa8804140f39cd4e88b7cfe0ece5aba2ec88323e10a53933 |
/tmp/macjihuo-2022/micool_macconfig/JetBrainsold/AppCode2019.1/config/sedUJh8Hq
| MD5 | 5d9a28a9ebc4026decee10655f3f87a9 |
| SHA1 | 262920fbdb1236d5a7fd5adf94222dc29a4d9335 |
| SHA256 | 8731c72f22a9c7cfa8c7b5f255174e375a2c9f535030a86deb8a7a9e9c1fb76b |
| SHA512 | c5287ef9ed6e5fd374390ed7926f878282cbde8a6ef70b67b660a87fbb70e1cec3fa57c031f2c016ee899c6f504437095928c1f173251179bf692847fa67b177 |
/tmp/macjihuo-2022/~/micool/config/dns.conf
| MD5 | 14fd644eec8003eb6f887d037d8a5782 |
| SHA1 | 77bbb4b2ec2267bb4c53ed9e8d9b9641da185c7d |
| SHA256 | 7965272fbdbcfc3255c5b6598e3c118f3dd898834ba4f2e91b6eff1b57fdc06c |
| SHA512 | bb08c1d2634cc550adf612df501d9ffe4bb4b33441bd37e8b371b57a209b862e33df2ec76e444ce3e58bb6459c3e36bef588749445d72fd069004fd8cc5e563b |
/tmp/macjihuo-2022/~/micool/config/mymap.conf
| MD5 | fb6122abc94fc90c0ef8584564c377e1 |
| SHA1 | 85cfb558a4378609dc1edb7f97c1d8c0b7753554 |
| SHA256 | 88729850e6563281d5d71677138e8ba814fc616e632aa87dd78d42a32ef69eab |
| SHA512 | 907b0845ef3b5109dcaab7192d683e77502dc4f059384f8e90591a1dddec54ec1975f08f04bf5cbacaa68f2df8fe3d4486100c04bb591eccb174c1226c1082ec |
/tmp/macjihuo-2022/~/micool/config/power.conf
| MD5 | b25976299912f9bfd8e9d308b8106704 |
| SHA1 | 405f62ff714fa3a13f594091e760c4a1da2ca3fe |
| SHA256 | f8cf031a60785f6f08a382ebd5a9792f29c1091a8892da59511c608039e47ca7 |
| SHA512 | a17db9a9f66336f3921075a72ee30d373300026e2ec67d3f772a2099b91d1bf1ca897425bfc8f3e18502cba6775ad12bae6b0a7be64f93d813870088fc776bf6 |
/tmp/macjihuo-2022/~/micool/config/url.conf
| MD5 | fea2bfbedda20d5ad9429f537e15f4ce |
| SHA1 | 0b219cc137a185439fb9bd99d85b8fe320967507 |
| SHA256 | 88e1dca8019ad412cf2c6fbd947a83786cffc7b32f1ee35594d25d1f38fae5f8 |
| SHA512 | 13fc087f41c6ab045bba514095db2be2ce383a6d5f58d50997af7073eba4729dc69f3dc30de6067237bbec2291e32400f79864ec8725450a2a5f5042097a862c |
/tmp/macjihuo-2022/~/micool/micool.jar
| MD5 | 2fa1b1364515dce93eb67c423b570deb |
| SHA1 | 2a723c2ef30be4a5c167c6639bf9ec0b9c7e7ca2 |
| SHA256 | 3acc4e9d91793f6909458a4761b75b6da45c8868e75dca33c9fec63659202995 |
| SHA512 | 0b6cf7caf6d48419251d0aa1ccf280536eb20b1f108f874a9ce86943601c2317833031578fc869366e3bc40dedfabfd64527598ea63b879bc77f82a9a218766b |
/tmp/macjihuo-2022/~/micool/plugins/dns.jar
| MD5 | 4f3c516c1704a5569725246d57dd1ae7 |
| SHA1 | 4e8693b5a7a3837cf7f6db0c4f1316f376d34721 |
| SHA256 | d1150b1831b112b93d74a34a10ce6c11606e0d2255d532c29f91f1d92b40a552 |
| SHA512 | f885fc751e9035944489578bb037f05521c6258c377c0c7bf8b8d10b799063e6e529c715ecebf9729724f0497f588803d7d463fbb70f5efbd73952624f60d08e |
/tmp/macjihuo-2022/~/micool/plugins/hideme.jar
| MD5 | cdab6a30b0949a741f13935f5483c303 |
| SHA1 | 729d00e4fa04ca49c00b5b6aa60706dfadd5644e |
| SHA256 | fa14c735ab9fed3f3a5df0dc78a5d38ae0a146099ddc858197e9f528bd996c40 |
| SHA512 | bf155c0b062fe9c7c237f9b0329a155387b7294fae7c7ed73e41e9528f119ccc513855329f6e91e62106b589c8b215d981ed11f2f89c7e13c06fbdcf7d6d1ee8 |
/tmp/macjihuo-2022/~/micool/plugins/mymap-v1.0.1.jar
| MD5 | 7a0e7526ba7542c94fdc8f5bd0a4052c |
| SHA1 | 37c069fdde8182879bf4958d703a19113bbae4ec |
| SHA256 | 2a20c5f9a05820f522d9338c57aeac51232422af87ac299c3bb541e948549774 |
| SHA512 | 96bbb690f150322a8a86e88f013f749f55f67f41b4f5f19b78121d8d653b851c290c17e6e551b89e5ed37c38b1c408511cb67c5f15c627edf11a9ce61a480e89 |
/tmp/macjihuo-2022/~/micool/plugins/power.jar
| MD5 | d8711b73bc0507dbdc841b098af99787 |
| SHA1 | 26ee7577969265ff77a7fd786bcb707fe21a3d6b |
| SHA256 | 7819e5b968ce5ea2e638e53d84089d35e89e9ea3088f18f8dbf6dd38d14ab25a |
| SHA512 | dde478c503a5fbd17fd3cdac67d379abdb392d9edadc37feeafc3572f44044674af2f16e33b7c201fcb52e0d4eeb635fd53843b58700986aa380191aca6cc843 |
/tmp/macjihuo-2022/~/micool/plugins/url.jar
| MD5 | 6b181e5b8255db4cd9beb1c6af5f420e |
| SHA1 | b1bebbee8d98218db5794f596001b8b7427ae0c7 |
| SHA256 | ce5a83aee31153cca30274ac94467b316edea8cb28acf72f52f5a72d455b1b43 |
| SHA512 | 26dabc145da4a987744ab86d600ab81482771fb8fc99933828104d4698f4dc407eb97281a36f01d5852fc2209d0092f10b7d23d62db8f7e456f8d2d0a108ce7a |
/tmp/macjihuo-2022/~/micool2017.jar
| MD5 | f5721587debebb34575e7a5c1267278c |
| SHA1 | e507fecf49457473a8f04323aa0538638ba158f5 |
| SHA256 | 1818217b48e9b9222a60ce620f5f13e04172aaf7e2d79d700d20a83d733ebec0 |
| SHA512 | a85a0c4c425c09d85b28eefdb4cfca10610a47bc882e81129857e40a92fdc905b44c0c9819cabd8e5fac61f4a5fff5b045f6946420cf76beb61e1fa84a8ac817 |
/tmp/macjihuo-2022/~/micool2018.jar
| MD5 | a577fe434dcf668222505d75eb4a9b58 |
| SHA1 | 3323d5d0b82e716609808090d3dc7cb3198b8c4b |
| SHA256 | da958394d79615d0d0d31190ed0b63b3959901067db72dfba223c7e3a844c8bc |
| SHA512 | e47be505914db6c93a196edf10043e6563a557d926210a7dd4b92376c1fb8ac74a9838270d9e85786d80b11847781fa000952a124400187a2c5cc22d0ca62052 |
/tmp/macjihuo-2022/~/micool2019.jar
| MD5 | b7650f3603805693d7633b64a755b416 |
| SHA1 | de72619132579a7fde5a441f880955087d32f6ed |
| SHA256 | e3055d5b636b39d5609b8cfa28da2d8955615985fad53a5c27baac51cadbc698 |
| SHA512 | 55c059b134c705460fc6ae4d5a1e87890dcda2a9dd8f587e6941f9003851fc703d04789d8ef58fd9e625fef86fc3a5cddebc2c25765a0444942da32f97d21ef0 |
/tmp/macjihuo-2022/~/yz/config/power.conf
| MD5 | 51b9fac208fc13ef7da9897eaa46c2a0 |
| SHA1 | de03a814781e4426e324f98f8b70fb53fc615262 |
| SHA256 | b593043691cd24394b49be507800f20ea61faef157c26e10bf9982a467f69d65 |
| SHA512 | cf7fac6689349dc83a88377ef437c2a310fd647b14843067c4de31868bc683a8753edc6efd17cb82913067cc8a5ee82578c336e6fe8885056797439794c3472a |
/tmp/macjihuo-2022/~/yz/fuzzes/config/dns.conf
| MD5 | f01ce69d967d52ddf0d72a1c9ca5c9bf |
| SHA1 | f7ea9dc8c67e8aa7b0495d23ecff7cbcf0dbc2e6 |
| SHA256 | f098e501d16f260fc7fced68935bb63e52bddb660da3170edb5bc5026d6145c4 |
| SHA512 | 4c2f60204117d8ea1fefef6cd2fe7f4cd61f79fed0e834dac574a160aba579e1b6e6fae5cb4bdde2e6677ed53195bb4b7a232a600d7333eb4448b3be52fc1f75 |
/tmp/macjihuo-2022/~/yz/fuzzes/config/power.conf
| MD5 | bb2144dc9371c0dbb9a52ceb0fa2e723 |
| SHA1 | bb1e5e197857c868c2ada0feef143fe0a37a6488 |
| SHA256 | 5314860eae776e150d88f7869ccaa0d21ed281430cbf6de38a49358eb0f7b625 |
| SHA512 | 4d216364fdd27c18eb5de08f3e7e82788874bc9c623feca4300d7d4bc65356295a03440ff5c6003970012a77dc6e1d42c2fa225d06dd8c9e5456363cdeaeb189 |
/tmp/macjihuo-2022/~/yz/fuzzes/plugins/power.jar
| MD5 | cdc01ec1abee702c535da143fb3947d9 |
| SHA1 | 0f73e2cf797ee4b25a73bc6f78cfd7d41952d294 |
| SHA256 | 26db4a54482189dc989e59734318d5c12d656183d5394fe3c0fe5b33313cb785 |
| SHA512 | 72c26a50a1f1ab9712808a218cf8026c6540fbe6ebc28eb3fee3eddf011f8566e82446630731a559c2ad0ca684be486bd991fc46149f6412ac692218e4e1d354 |
/tmp/macjihuo-2022/~/yz/plugins/power.jar
| MD5 | d3e171f2099f3a6c644a603fe909b77e |
| SHA1 | a6b849ad3c95378ddc4132c842ef8a86d12606c9 |
| SHA256 | 1f9f85ab767e29dd222ebdaff5f2a91a6c5716a1246cac2aa4e2028f92a76137 |
| SHA512 | 2d8c0b81817a523e7e23209fc9195ccc11a2f6b9fbb5931994a04f9ed69503476e173a710dec87a534e023325014b5348548d51a45d46395681a8acce5e5b35c |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
160s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 2760 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 2428 wrote to memory of 2760 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/2428-2-0x0000028CEEDE0000-0x0000028CEF050000-memory.dmp
memory/2428-11-0x0000028CEEDC0000-0x0000028CEEDC1000-memory.dmp
memory/2428-13-0x0000028CEEDE0000-0x0000028CEF050000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3448 wrote to memory of 3488 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 3448 wrote to memory of 3488 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\micool.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3448-2-0x00000264D7260000-0x00000264D74D0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 048a2a653ff414ff6b0d3078a6831115 |
| SHA1 | b77f6ccd35b93729f3b51fb73bc660c525c29b11 |
| SHA256 | 4fe0df6652ef1cfaee55f98192dea04755fd2fdab43c885e866d52f5199086fe |
| SHA512 | a64797d75ac92f01df5941f926537a5fffa3c1eaeaeb113e36d73fddc16d245131e0a3f4df4cc0361bb0a30b89eaeb06435afba27c53c5a24e79ab65e2b927e5 |
memory/3448-13-0x00000264D7240000-0x00000264D7241000-memory.dmp
memory/3448-14-0x00000264D7260000-0x00000264D74D0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\url.jar
Network
Files
memory/2884-2-0x00000000026F0000-0x0000000002960000-memory.dmp
memory/2884-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2884-11-0x00000000026F0000-0x0000000002960000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
105s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 720 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 1400 wrote to memory of 720 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2019.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/1400-2-0x000001F2B2920000-0x000001F2B2B90000-memory.dmp
memory/1400-11-0x000001F2B1010000-0x000001F2B1011000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 3ecfd3a15ec5e7ed2515b1a5eadccb97 |
| SHA1 | f4a57fe6caea99b2a9ae6a893be90d2c46f3dab2 |
| SHA256 | cf7f77b1a0c1d0b9a435ed64ceeb222eac204ba6934a78e89aed5ceb374dd674 |
| SHA512 | 155ac125458b8a608b95a21c9ad446973a981ada01f5a0b20b6a11b2085ba8bd98420cfba1e18a56a188ff04cf62f63c54dec26b3a4657169da639375c939220 |
memory/1400-16-0x000001F2B2B90000-0x000001F2B2BA0000-memory.dmp
memory/1400-18-0x000001F2B2BA0000-0x000001F2B2BB0000-memory.dmp
memory/1400-21-0x000001F2B2BB0000-0x000001F2B2BC0000-memory.dmp
memory/1400-24-0x000001F2B2BD0000-0x000001F2B2BE0000-memory.dmp
memory/1400-23-0x000001F2B2BC0000-0x000001F2B2BD0000-memory.dmp
memory/1400-26-0x000001F2B2BE0000-0x000001F2B2BF0000-memory.dmp
memory/1400-30-0x000001F2B2BF0000-0x000001F2B2C00000-memory.dmp
memory/1400-32-0x000001F2B2C10000-0x000001F2B2C20000-memory.dmp
memory/1400-31-0x000001F2B2C00000-0x000001F2B2C10000-memory.dmp
memory/1400-34-0x000001F2B2C20000-0x000001F2B2C30000-memory.dmp
memory/1400-38-0x000001F2B2920000-0x000001F2B2B90000-memory.dmp
memory/1400-40-0x000001F2B2C40000-0x000001F2B2C50000-memory.dmp
memory/1400-39-0x000001F2B2C30000-0x000001F2B2C40000-memory.dmp
memory/1400-42-0x000001F2B2B90000-0x000001F2B2BA0000-memory.dmp
memory/1400-43-0x000001F2B2C50000-0x000001F2B2C60000-memory.dmp
memory/1400-46-0x000001F2B2C60000-0x000001F2B2C70000-memory.dmp
memory/1400-45-0x000001F2B2BA0000-0x000001F2B2BB0000-memory.dmp
memory/1400-49-0x000001F2B2C70000-0x000001F2B2C80000-memory.dmp
memory/1400-48-0x000001F2B2BB0000-0x000001F2B2BC0000-memory.dmp
memory/1400-53-0x000001F2B2C80000-0x000001F2B2C90000-memory.dmp
memory/1400-52-0x000001F2B2BD0000-0x000001F2B2BE0000-memory.dmp
memory/1400-51-0x000001F2B2BC0000-0x000001F2B2BD0000-memory.dmp
memory/1400-55-0x000001F2B2BE0000-0x000001F2B2BF0000-memory.dmp
memory/1400-56-0x000001F2B2C90000-0x000001F2B2CA0000-memory.dmp
memory/1400-61-0x000001F2B2CA0000-0x000001F2B2CB0000-memory.dmp
memory/1400-60-0x000001F2B2C00000-0x000001F2B2C10000-memory.dmp
memory/1400-59-0x000001F2B2BF0000-0x000001F2B2C00000-memory.dmp
memory/1400-66-0x000001F2B2CB0000-0x000001F2B2CC0000-memory.dmp
memory/1400-67-0x000001F2B2CC0000-0x000001F2B2CD0000-memory.dmp
memory/1400-64-0x000001F2B2C10000-0x000001F2B2C20000-memory.dmp
memory/1400-69-0x000001F2B2CD0000-0x000001F2B2CE0000-memory.dmp
memory/1400-68-0x000001F2B2C20000-0x000001F2B2C30000-memory.dmp
memory/1400-77-0x000001F2B2CE0000-0x000001F2B2CF0000-memory.dmp
memory/1400-76-0x000001F2B2C30000-0x000001F2B2C40000-memory.dmp
memory/1400-79-0x000001F2B2C40000-0x000001F2B2C50000-memory.dmp
memory/1400-80-0x000001F2B2CF0000-0x000001F2B2D00000-memory.dmp
memory/1400-81-0x000001F2B1010000-0x000001F2B1011000-memory.dmp
memory/1400-84-0x000001F2B2C50000-0x000001F2B2C60000-memory.dmp
memory/1400-85-0x000001F2B2D00000-0x000001F2B2D10000-memory.dmp
memory/1400-88-0x000001F2B2C60000-0x000001F2B2C70000-memory.dmp
memory/1400-89-0x000001F2B2D10000-0x000001F2B2D20000-memory.dmp
memory/1400-92-0x000001F2B2D20000-0x000001F2B2D30000-memory.dmp
memory/1400-91-0x000001F2B2C70000-0x000001F2B2C80000-memory.dmp
memory/1400-95-0x000001F2B2C80000-0x000001F2B2C90000-memory.dmp
memory/1400-96-0x000001F2B2D30000-0x000001F2B2D40000-memory.dmp
memory/1400-97-0x000001F2B1010000-0x000001F2B1011000-memory.dmp
memory/1400-98-0x000001F2B2C90000-0x000001F2B2CA0000-memory.dmp
memory/1400-100-0x000001F2B2CA0000-0x000001F2B2CB0000-memory.dmp
memory/1400-102-0x000001F2B2CC0000-0x000001F2B2CD0000-memory.dmp
memory/1400-101-0x000001F2B2CB0000-0x000001F2B2CC0000-memory.dmp
memory/1400-103-0x000001F2B2CD0000-0x000001F2B2CE0000-memory.dmp
memory/1400-104-0x000001F2B2CE0000-0x000001F2B2CF0000-memory.dmp
memory/1400-105-0x000001F2B2CF0000-0x000001F2B2D00000-memory.dmp
memory/1400-106-0x000001F2B2D00000-0x000001F2B2D10000-memory.dmp
memory/1400-107-0x000001F2B2D10000-0x000001F2B2D20000-memory.dmp
memory/1400-108-0x000001F2B2D20000-0x000001F2B2D30000-memory.dmp
memory/1400-109-0x000001F2B2D30000-0x000001F2B2D40000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
132s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 3916 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 624 wrote to memory of 3916 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2018.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3744,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/624-2-0x0000027369800000-0x0000027369A70000-memory.dmp
memory/624-11-0x00000273697E0000-0x00000273697E1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 779c14896efbc28ea0d72302f89bbb76 |
| SHA1 | 0d2cb7e198c216d0f431620b03a90b6cff09e5db |
| SHA256 | 6431b08f19052f59a65f792ef80e8df6de98bb8b9c1ca2b224d9681e24baee34 |
| SHA512 | 5faf6d259ab7cb929ba48594b30ef1f0a8924f0e5dd29f8cea090758533cf9cb8ac525cf92f0af683052a8b7a06279d835725aa7519a066089a12ecb9a177e73 |
memory/624-15-0x0000027369A70000-0x0000027369A80000-memory.dmp
memory/624-17-0x00000273697E0000-0x00000273697E1000-memory.dmp
memory/624-18-0x0000027369800000-0x0000027369A70000-memory.dmp
memory/624-19-0x0000027369A70000-0x0000027369A80000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240215-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-goland.jar
Network
Files
memory/2408-2-0x00000000025F0000-0x0000000002860000-memory.dmp
memory/2408-11-0x0000000001D70000-0x0000000001D71000-memory.dmp
memory/2408-12-0x00000000025F0000-0x0000000002860000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-idea.jar
Network
Files
memory/2760-2-0x0000000002670000-0x00000000028E0000-memory.dmp
memory/2760-11-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2760-12-0x0000000002670000-0x00000000028E0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 3652 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 1968 wrote to memory of 3652 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-phpstorm.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
memory/1968-2-0x000001B5E70A0000-0x000001B5E7310000-memory.dmp
memory/1968-12-0x000001B5E7080000-0x000001B5E7081000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | fa77a4420d301b7eb0e2807189e055bb |
| SHA1 | 91efd2e86661293b20094dc2262792781ef93f3b |
| SHA256 | 465a06252684314de7d87475309a58c4b0510215d0f804dfa1ab9e44f2ef57e8 |
| SHA512 | 5e573db7615f777b01da0b925a7328f1746359d3f34fe32adfe31f4fedda895a43e1fae1fc7a565eaa66c0a99ac1f209c2ef026fad7fe392f3a5b83600fb8b6e |
memory/1968-14-0x000001B5E70A0000-0x000001B5E7310000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\dns.jar
Network
Files
memory/2984-2-0x0000000002400000-0x0000000002670000-memory.dmp
memory/2984-10-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2984-11-0x0000000002400000-0x0000000002670000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\hideme.jar
Network
Files
memory/2024-2-0x00000000025D0000-0x0000000002840000-memory.dmp
memory/2024-10-0x0000000000450000-0x0000000000451000-memory.dmp
memory/2024-11-0x00000000025D0000-0x0000000002840000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4844 wrote to memory of 1924 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 4844 wrote to memory of 1924 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\plugins\mymap-v1.0.1.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/4844-2-0x0000020964C90000-0x0000020964F00000-memory.dmp
memory/4844-11-0x00000209633D0000-0x00000209633D1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 9ab40c8421744e6858b60b0eaf7233d0 |
| SHA1 | a0d114107dee7594d659d4c241258ca4a96a4534 |
| SHA256 | d052e6b1fb93c3f6b70adf88316b4ec46190822b820749366b8be6af3fc62b60 |
| SHA512 | 7fa50020cf99c73723707f08bbd0ae9ff0eab3bec39b983b14b6185471fa46d36a1b3fdd34bfd3efd7a10b6dcce7c239ed0599bcfbb09664acd8c00d74d23f63 |
memory/4844-13-0x0000020964C90000-0x0000020964F00000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240220-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2018.jar
Network
Files
memory/2836-2-0x00000000024E0000-0x0000000002750000-memory.dmp
memory/2836-10-0x0000000000440000-0x0000000000441000-memory.dmp
memory/2836-13-0x00000000024E0000-0x0000000002750000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2019.jar
Network
Files
memory/2172-2-0x0000000002170000-0x00000000023E0000-memory.dmp
memory/2172-10-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2172-13-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2172-38-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2172-53-0x0000000000490000-0x000000000049A000-memory.dmp
memory/2172-52-0x0000000000490000-0x000000000049A000-memory.dmp
memory/2172-70-0x0000000002170000-0x00000000023E0000-memory.dmp
memory/2172-71-0x0000000000490000-0x000000000049A000-memory.dmp
memory/2172-72-0x0000000000490000-0x000000000049A000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 1488 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 2280 wrote to memory of 1488 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\yz\active-agt-goland.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2280-2-0x000001ADA9380000-0x000001ADA95F0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 2268ec75f82d72ffd738cee8f24b7b43 |
| SHA1 | 9dd842ace0e6b515e7fff8f9a9fa9008b1ec7b15 |
| SHA256 | c824118f582e1ff0ead001530db226b6ca26094274a938095b7ea35196cd519a |
| SHA512 | c438a873fc6df5914cd9eb220a9855269ec3b4a2b3e2238b8b32f7579dcdac3cce00c27d33d893644fbb9d32ad9771c71c3c892686d147902127512eef0dcebc |
memory/2280-13-0x000001ADA9360000-0x000001ADA9361000-memory.dmp
memory/2280-14-0x000001ADA9380000-0x000001ADA95F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool\micool.jar
Network
Files
memory/2880-2-0x0000000002670000-0x00000000028E0000-memory.dmp
memory/2880-11-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2880-12-0x0000000002670000-0x00000000028E0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-06 12:31
Reported
2024-06-06 12:33
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\macjihuo-2022\micool_macconfig\configfile\micool2017.jar
Network
Files
memory/808-2-0x0000000002490000-0x0000000002700000-memory.dmp
memory/808-11-0x0000000000160000-0x0000000000161000-memory.dmp
memory/808-12-0x0000000002490000-0x0000000002700000-memory.dmp