280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
330s
max time network
322s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
Size

84KB
MD5

79930adcabd0714d7c3d0c293d983a5d
SHA1

eb2cafb7776d40b36e175054d0e29cfe0071bf2f
SHA256

9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0
SHA512

00f951e4bb7c8f3416888ddfb12f6e0d2e1ff2ce0cefd2f1c7c5402f0e2399d2baab51ac449640b4dfc1d01b337920b4f3772fc50fc4760518b349da0da1510f
SSDEEP

1536:qqq+QPmPwFmlnHOPyL5XdO3WQbqephuLBXlap0+1P6OJNRNU1HAk1:9qDmPwFKnHOPyIt61HAk1

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (3462) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\wordpad.exe.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Apia	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sqmapi.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\Common Files\System\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\Windows Defender\it-IT\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\Common Files\Services\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxwebkit.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\save.txt	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2956	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2956	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2716	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2716	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2816	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2816	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2920	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
2920	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2412	2956	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	30
PID 2956 wrote to memory of 2412	2956	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	30
PID 2956 wrote to memory of 2412	2956	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	30
PID 2956 wrote to memory of 2412	2956	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	30
PID 2412 wrote to memory of 2716	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	34
PID 2412 wrote to memory of 2716	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	34
PID 2412 wrote to memory of 2716	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	34
PID 2412 wrote to memory of 2716	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	34
PID 2412 wrote to memory of 2816	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	35
PID 2412 wrote to memory of 2816	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	35
PID 2412 wrote to memory of 2816	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	35
PID 2412 wrote to memory of 2816	2412	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	35
PID 2716 wrote to memory of 2920	2716	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	36
PID 2716 wrote to memory of 2920	2716	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	36
PID 2716 wrote to memory of 2920	2716	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	36
PID 2716 wrote to memory of 2920	2716	9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe	36

C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
"C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
  "C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe" --Admin
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
    "C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe" --ForNetRes x5I74v4h003xJ0iyhUfHQ8W6o0RDSicmSfg72KVA 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 IsNotAutoStart
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
      "C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe" --Service 2716 x5I74v4h003xJ0iyhUfHQ8W6o0RDSicmSfg72KVA 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2920
- - C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
    "C:\Users\Admin\AppData\Local\Temp\9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe" --Service 2412 x5I74v4h003xJ0iyhUfHQ8W6o0RDSicmSfg72KVA 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

Filesize
129B

MD5
24f120432bc903a2572389bda3318345

SHA1
be3c99a672ec3c401a4adb56873db5f53aede5ef

SHA256
9ec7d9ffbe0432712e7f143f6cf2c152bc80488230f65bb744ef33cfd44ea158

SHA512
28c1d25c0424d55051d03dbf7b4ff92830fb7290925bd37edaea840de4b0bad8e3a2c978489f37a00a314874a8a63f6b601213329c50c46f0cb52cecb415bffe

Download Submit
C:\MSOCache\save.txt

Filesize
42B

MD5
1fb4118372f42d6ef1305b295dec1823

SHA1
53a0c523a9ca6cd45e8192e45540a42952fbaee0

SHA256
456253001eac320215f324142daa41bb4afc629c3b6ffad36d0785614a037a38

SHA512
5c624fad8b646b1ea8d89d5756cb1a6b779cdeb225f422d0a5059b71f06f9aa7c127c6c5fdb5d01ffc06501fe85eecbc08013b9bfe9bec5780e3ca748380b685

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
5KB

MD5
0007d890f18017df2e0bae133c5d7547

SHA1
fe7fc45cbd6a02a413a79bd806f39c9d5a5065da

SHA256
34fd4b46e5fe0d3029e24c81ec9eb63abbadf3f00e7c84a649e214a79ac0357e

SHA512
ba98f1e03b569d56503e8879ef2cf0445f727fa88e62c19ee6d4eb113e52ea51e01b5e81829199f3a802c8d60e5d72301ac103728dd24287eda4e5c71e9ff195

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll

Filesize
809KB

MD5
a38fca706591460344f3c622fdde4ae1

SHA1
1333b47ed0bdb2cb056c75a417767bf13902778f

SHA256
2d5f22b8f6bebc6bc98891a9e7ff92ad6f950710b8e51a69c95586b2eb871f5b

SHA512
a93c4c58aac1f5e35cdb07145d0930aaab519bf4e22861915bd7c0a3e18dcddf1d5eaba64b8969f3d18ef5dc3a98e12b560df2d413c3f0774e587cd967ba8d45

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1808c1a5efed3bbd7c50011103bfce5f

SHA1
a90758d00f6ceaa9b6e58c85ac23eacb01605381

SHA256
5765b961519a2cb6b4166a1b959be6eb6364bcf3d873db5fa7d1c1ed90d3db0f

SHA512
280f2afc93ee046bb304278f82b436da546413e521facb04ff1b8328dd1f8bc0bdf556bd8ad4784362c7af4e0cce529918621390fbbee33d148f0affb58abb46

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
27B

MD5
37721153b2a6dbceb28a806b6ac18d45

SHA1
faa6c2e8f2c82914c48d2327cc2dadd902aad6a2

SHA256
3443fbd18a3f28d347bbac8d6325ffce41ff47c3625b5b284de045d786a09ef5

SHA512
88881b5f0831d2ca3fd7f14dc03b33b4cfe486fd750f3a56297e716c7391c75341ce9a655958bacd953d7efc6b914b024fe5b2f2bdfee3323b4c4f13c5310449

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
27B

MD5
94efc06c86ba37749c70533d8477a3a1

SHA1
ea8102e3fc06af4080dc98db11ef7d04b698d3d7

SHA256
42515b3662bf14f84f608a51a0c0233251edc91d8ca9727787cf43636f41e42d

SHA512
e75a6562f44bb23f9868b4d9586ffd526b1e44d9b5fc0a7950ff4c62ddd58b20102d0a110ee8ac9454edfb40fcac49090e852d1fb97f5ab615e90a7a34ff7ce0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
27B

MD5
4209da38099a52180717984c79c4ae05

SHA1
86f5b865d9ebd100dd9d5650d9f65b7242c5f887

SHA256
9c34bf5b3a170b6a34eae0205264ecb298a69cb89b0de68c9e52c4508bd4f56b

SHA512
fed3b8f523ed00755c33b522602bcdb9841cc043b2987253791df4fca100944eae3cd109d12e8555a8af2f720e96cd892c1258603aab468f4865a760519b60a4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
27B

MD5
125ddfe5c5abb0613ae48bace22c9f19

SHA1
9aac9a32e14cda78aff56980d3da5e6ba26e342b

SHA256
20a7958ca3032b6f331085aab7b4fa246e30a9cd41870c59ce10ffa8f75b7d3f

SHA512
d878352a33edb4b8971df5eb97a4cdc3b468b7874c6cc473c667e1ba74b1c189d4d687abbf83227e813fcf51231685bd333af4370a47c5c1806268e8dd393f63

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
62830e862d27256c5c76333ae3d23f5b

SHA1
547d18c21bba57df27044a02b488aeae27b5da10

SHA256
a478930678daff922a5a95e0aca70efafcf0909a346260a35b75b5d9808f9f0f

SHA512
e6726a3c677c3e12721a070c761e9305e2381d5c13794d789b5c5bef51232b39e969c8b965be16a0b429bb994afa3d07e3a6a0bbc469272dbdcca5c22b99384b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
659bb5555db24cc4722e25b2bf3f9f9f

SHA1
266f04adea326e6bd2e2cbab5642ab41cb4d026d

SHA256
e1c62af829f1d3458c5d97832e69571e4e3668a3808c72ed32bfb7cd210c37a9

SHA512
fa4d0222514617ce02dd157245e4a44cc9314c3b17d32c8114c5893d1aaaf70fe7ececd57ba1bf4b0409ec9ea6c24c38257665a2f1cc199bf1159d67902ce628

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
bfd4951343d2ee3c45df223f61a2b0ba

SHA1
34b51082f28e7b4322cf69c14ff31b3a5e956250

SHA256
4d02daad2ad6f724555a3cbc349190729a3374ba4b4ea9382bfcc2a0ddd9ce32

SHA512
ad6ce989c31e168c5ec433c8c910cf358d0f69fccb373f0a81704dde3c900eed55cc75ecd253e216bdeb9b8b8b74145b6cfa7c0636e09669ce1a87550007c2ca

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
4380f2f288e18eee8a386edb36c089a6

SHA1
5c77ec10236c65c18d542e66cacee4a23b9d350d

SHA256
c510d3aba5c7f509003276fcb5b3569946c5fbee4dd462af28ef6acd93b95e37

SHA512
27cda2488a0f9030a24b48d58430eb55956e900526247eb537b360e4e11d3d48c477841bb0f478a8cdd497d7774aef6d05720e25b8a4f64247a68ab482dd0d64

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
722d7b46d1b4e112f78f1e617ebda4d3

SHA1
f16d4a30b188f6d916ef2e67de40345d0bd5a54a

SHA256
c32817a476225bbb48d10c2ce671ea6a5ea5d77a92dae12d67002d14f1aaf30a

SHA512
38732e8da7ff4d6cde7931155158096ee2f3d3b17ea074a592b2c6fa3d88fdbecfe814c89d06be72143726f271b24375524b9bf4f0f2ad2513993c52427b7900

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
2d3e5115953eda55a32d37aea1780031

SHA1
ec14036e1f0d0b6c813c109d11cbb08f891f2831

SHA256
9db498edbf4c465f3115efe3d0245d4faebb3f1c7a6a7db2fabfbf4b50da51c0

SHA512
b1f3238d08d57f6ea1cf926b29a342a6cfac907ad1a8aae05d13b319ebe7aea9c7a833e86782ba6d3490f07362e1412493f67775e1e05d408a47f9d278ac2fc2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
133B

MD5
29176d2f46ca2daa19270a1ed320124b

SHA1
f6cc7e269cc0083bf38de36261e7980cbc869d1e

SHA256
8dd9d47dae164ad5a4217bfba602d3665a5056f74e17ede857ee134e70e2d17a

SHA512
63212a692db6299ba5717310df79875e50acf2dffc0bd181010462b840ef5e243e6cbe4eb7a1817d8e96a695c65faca321f2c448c2b9b20272693c4645ff9e55

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
431380663366ead82ef7e699be12cd29

SHA1
25b5ceca95439e0d7426fdc35ebac0fe86c8220a

SHA256
1697a5cdf3c1016050a876dd648fd6b6d6e27780af5bac02cb71a474454afde7

SHA512
0bb819b1e9c856226f73b7690f9b74d2ecdbd8cbeef71938d8b15fefe2fc47ae64a9c8b109f63e4636ce72aa608b990ee9bcc0e86302b4d88d7b88d79bfba097

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
41B

MD5
dd2bbd3cdbc52b86376edba19e2dd7e0

SHA1
8f2f6b85a38da0d89e591460e82c743ef59d5951

SHA256
3b6059b22d9dc1552582ff936fb90694f2ad3b8c29e370565fb2259cf0ca9f00

SHA512
8d854497d6c3d6fc7d78920ed5d81b170d28d14b6cee2197e21ee5b88e4cb1317144780a6d6b5f4c3327c6509d6d88c7ed60e5a8b64718f9c2b12fca58481e35

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
a30f3fc12e719b5be02025bbf660f696

SHA1
5d9e947140d99e255ec3248f018ab9c401021b16

SHA256
d9d706b3e095b2a8b7a8c1b280ff3c0e1475755193dc82596909794c2ae69662

SHA512
27df782091fa38ab06fcfe53b2216fc7f953b5fa30bf3783f9dfd1b5e0d6afc0f25a91ab94ad51803cc05cbcbe936b9c22f224bedd16203781420c0a261e7961

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
937f4ebc8c736880ff4f55d99f40d791

SHA1
b0c023cfbe6da3edcd395ad73bb3faddf9232494

SHA256
66099ad2cfcc1e2058d4b90e8928cdeb3a0de16083ee7ec1a297c2e481ee7198

SHA512
cc1ee2ab1704e8312228344322ef0ea940363f26498fe12f7e2e20757e4bc88cd109a57955b15b66f6d02344c602871133b12204f3cf696eb83cb5aa21579c28

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
3KB

MD5
20276093962f024b22d2c08bd934d9ac

SHA1
b7670b2cb0a4b2a3ce4215a7ba91f759024663be

SHA256
68ba0942aa1061ba4c9eef3961629d363dde77fdf423c6aec673bd4c62d04bc7

SHA512
1d3317f91bc054675b922621974cba04efed2696219eaa973d4f3a92a651933cdb607bf6ac5eba312c57c01020a742c9d44109cd9a355ca0be91e4e32eb5dbed

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
27B

MD5
c69abb7b09df6097d8ff95a8388f09d8

SHA1
800f3a0a26f1f129a56de95381d23b35b738ee91

SHA256
8725e7214e07ba47298ace8cb7a09762709f684a47927372b31384be8edc77f9

SHA512
c15dab4a4a6afeffb96ff627f8c858144d13d983f8df8260d9b2507b54202a495ce777edb4d332e748404b2ccd6a955c1eff6080102d1dcac02e951c5205d828

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
d3171d5f59ba2f8c04000f3ddeb56714

SHA1
4a30c506704e7c2afb2a54a94aea8c60d0103d3f

SHA256
222b143a3c29fc6e500facbc60cf438c24e948f98d801fdb73c771f70cd4abab

SHA512
e37458b853159d2336fb3160811948e8ea86c5c307c0f938f8b777d9ed034ba633295ce44543fd9908aedae4f6d805ab191ea8690fbf438e7e33e5468afe85cb

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
27B

MD5
f2799d16d9aa6b79b9adeb3c70710ed8

SHA1
74ec3ff4084b0366ea1de7bdf7b3d6df3e8b9f67

SHA256
739cb1c5902be5142bbd5a304d054a293a2b5027e0aa22ca42a8cc135525f39b

SHA512
3361086968c8abfacc5b7e5b82ac30b334bdfc87fb8e795f7aee4015cb015db8fb531f48701e21916aeee492fb0c88a60d1910783b9047ea3c59f19e0d4614af

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
27B

MD5
98baf341c900f399191b5c42e9613853

SHA1
c13f02a27242d7dfc00019dac4b0a7b6fed5aff7

SHA256
67e1930f1ffaf36f3bfa51fc9b127957c6df8e7631adf13ced165c9a1aefb720

SHA512
7fb8b64cb00ae710a274c5b86b1e098a085b6986fe4f6c521fb0ee74923afed064ea56ff1fa1bddc5b097fed5d200a9cd03faa0262eb2b3f2ffacfa6f0862969

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
27B

MD5
ce5134f2cd29f551950c05535b20544f

SHA1
21c4d2090cf383e747376a62c5f0b588e2e17ffd

SHA256
11a5f187e8f206c07f0cb3980526c3c481de512ad273f99d9d347bc341970e05

SHA512
1db75325c20fa072748409c9b8744b33871b384636b1f5dd11704aa33da3153d6b76f43c0a477b83e9463ec22408a408f24bf49717806cb8721f369d91c4ba89

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
27B

MD5
ac8148f0841b231f0f54e54e14402754

SHA1
cca1f25f6f51a8f43fbc0c525e6b5d1592b87106

SHA256
74e9871934943f9469fb09cd7961cd9949573a0b41bf69b3935aa4df58f9b6ef

SHA512
c7ee92315a38144908050b668d28ef2c4f8ab5d5346143abb75d2df8915c3bfdaffb4c4c35838b41d30cede3f810463c23711b768b2501af3073d985fce26e7b

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
27B

MD5
5fe2f6990eec56cb051e10a76a5efe29

SHA1
4a362cc4dad8dae181bd80bfc7bdb5334347b240

SHA256
610bc29f09ddacf0ad1dcc334a6b207580d7fb69ba8ed0ff2d81c43957f41c59

SHA512
c1a13b53a31ef4260c72ea216628ebd7b97324dba14a5b6d3c5e6185132d43fe4844ad84550134cf07e88c6de303f75d034beefd76699d60c1a8c45161d55ac6

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
27B

MD5
81b975fc2a48df56fcee41cf0772d0d1

SHA1
9a6835ec224791e14b88e251668444084ebce94c

SHA256
10b35f38253ef21b67aab6e260bcab9f003bacc8fa3c623ef7e80e4ce8e88e3b

SHA512
817bfdde02792eaec262d86a36b3068dece2420cea280c9fa623d426cc79f8d2125456d6af405a9875d521f5e49c14f8db415ca19f394c8ea77286532a935dbc

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
955a6dcf91d11a5d788e8df5e124e290

SHA1
a31790a380c57f5ab1c646f78686f196c9261be7

SHA256
6566b263b2d79b7bc9c46811864d4aa52bc70bec533dd562d44bfed03e0030d4

SHA512
cff6688dc64b1572d4b964533411ee9cd21f36b8e6b8ec4757dfcc2c68bdebea750962277986187845f4612bbe733aeddba057a3bc7036d08fb05e4c2a4178a8

Download Submit