bazarbackdoor | 122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb

Analysis

max time kernel
94s
max time network
146s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
29/12/2022, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LauncherFenix-Minecraft-v7.exe
Size

397KB
MD5

d99bb55b57712065bc88be297c1da38c
SHA1

fb6662dd31e8e5be380fbd7a33a50a45953fe1e7
SHA256

122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb
SHA512

3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17
SSDEEP

3072:puzvch1rugYc4wqYSRR756K7ItBjgXHUYCnlK:Wch1aIqYSRVM+unlK

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 9 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d33-81.dat	BazarBackdoorVar3
behavioral1/files/0x0006000000016d33-82.dat	BazarBackdoorVar3
behavioral1/files/0x0006000000016d33-83.dat	BazarBackdoorVar3
behavioral1/files/0x0006000000016d33-84.dat	BazarBackdoorVar3
behavioral1/files/0x0006000000016d33-87.dat	BazarBackdoorVar3
behavioral1/files/0x0006000000016d33-85.dat	BazarBackdoorVar3
behavioral1/files/0x0007000000016ff6-90.dat	BazarBackdoorVar3
behavioral1/files/0x0007000000016ff6-88.dat	BazarBackdoorVar3
behavioral1/files/0x0007000000016ff6-91.dat	BazarBackdoorVar3

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2596	jre-8u351-windows-x64.exe
1644	jre-8u351-windows-x64.exe

Loads dropped DLL 6 IoCs

pid	Process
2564	chrome.exe
2624	chrome.exe
2564	chrome.exe
2624	chrome.exe
988	chrome.exe
2596	jre-8u351-windows-x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	jre-8u351-windows-x64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1368	chrome.exe
988	chrome.exe
988	chrome.exe
2304	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
276	javaw.exe
276	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 276	1844	LauncherFenix-Minecraft-v7.exe	28
PID 1844 wrote to memory of 276	1844	LauncherFenix-Minecraft-v7.exe	28
PID 1844 wrote to memory of 276	1844	LauncherFenix-Minecraft-v7.exe	28
PID 1844 wrote to memory of 276	1844	LauncherFenix-Minecraft-v7.exe	28
PID 988 wrote to memory of 544	988	chrome.exe	30
PID 988 wrote to memory of 544	988	chrome.exe	30
PID 988 wrote to memory of 544	988	chrome.exe	30
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1524	988	chrome.exe	31
PID 988 wrote to memory of 1368	988	chrome.exe	32
PID 988 wrote to memory of 1368	988	chrome.exe	32
PID 988 wrote to memory of 1368	988	chrome.exe	32
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33
PID 988 wrote to memory of 1040	988	chrome.exe	33

C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe
"C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6454f50,0x7fef6454f60,0x7fef6454f70
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3340 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=540 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2804
- C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
  "C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\jds7150025.tmp\jre-8u351-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\jds7150025.tmp\jre-8u351-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,10046585982713203112,13163928770381412511,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2840
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 8CF5CF34B71B5186991C91275CF84E38
  2⤵
  PID:1328
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
29.1MB

MD5
ac117c21fdf6128efe5801939c39c879

SHA1
36e47e3395a84081a980a9c54e5572588049737f

SHA256
34a09ce273423872b3449edbaf5e1d923ddc75e3ca4d6ca1a0011d3a0d8a605c

SHA512
409af8194e89ae96a948306ce676ad6ad5db9960561273badecfb988f3afa0e2e487d9fa03705d4c77f2d441cb4edbac1b2d5fa899f96053e6f76eec8d131868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d55ee549378e3018f0eeb6dd788e96

SHA1
1f82cd8f5eee3ca59583d324573f9b007cd3e0c9

SHA256
8481b5982a2bdd1ae9f9c35337bb2dc799620490a6cabe6a819094841153e86c

SHA512
d3f696a2be1e883f32c1313a2b5b51d10d443ba2cbd420ad86ed63ec70c7b69bd2448e78a1a013f7491d4159ee60f943a8cf7e333fc9ce8e54f9b6fba5c1e9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7150025.tmp\jre-8u351-windows-x64.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
38KB

MD5
4a47b7c0905b634a2ebbb8b56dd2aab9

SHA1
1665650990086868dfdec005135c84167e79a15b

SHA256
a61868076916f38173e12dbd13394bcbd7b196027facd1af2eaad11276d9cd8b

SHA512
e1d80d22358d3a8572036cb2aaa76a252a31101975d7b36341136ade9ad17be383778f7211ee3e8b3111fce0297aefd1b0317e9b0df3e70a2a1261f4347570fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
29KB

MD5
941c75e47b6289cdbc651a80aa4cbd79

SHA1
baa35c1d1a727c07fe6cf77cea694453cc4e4486

SHA256
c7504f73a8a4f4ed078ef3902a58495e3416cf81bfcb897f7e05059cfc3a1c63

SHA512
69e002d5cdfa1a902f3aeab5b6ef7fd964c6ce34b9c7e60e213bebc65e27e62cb923b4de401fa5b280d294341e40c5ebc6c2a407570e73c2f9ce4e25a764f110

Download Submit
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Windows\Installer\6dcd72.msi

Filesize
53.4MB

MD5
c42c18bae027f2b41314280639983e93

SHA1
8176906c69780a70cfa8cbd371c4fcaeb796f976

SHA256
8f8c3fc858fb70839f001334035754dd4a118a0ab80a8be0723f14573e0bb787

SHA512
004626749fa129c3ad16395c353387ac00c6b1ec23526c084bdfb25de9554525ccb69422834a0036e6f654b5e63cb6fad90c694fd8e8769d43f5147dd135cb31

Download Submit
C:\Windows\Installer\MSIEC16.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIF442.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIFBD2.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
46.6MB

MD5
0b074b3d99879ad73165417c9b1fd80d

SHA1
6d6c46364bd4686a895fb8e7edd19f99d952b97b

SHA256
3fa878d8ee7ff581ebec38e7559920ea05a226f0b17d979c2d9105f6f1da83ab

SHA512
cca9ae8602283f3e0e61f8c7b542c7549fad220d31d93a58bd1f8a8b492d4b709381ad7ddbc5485e37d1287a167c734e26a5b862524623004526d23ae605cd92

Download Submit
\Users\Admin\AppData\Local\Temp\jds7150025.tmp\jre-8u351-windows-x64.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7150025.tmp\jre-8u351-windows-x64.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSIEC16.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIF442.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIFBD2.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/276-72-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-74-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-79-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-70-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/276-69-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/276-80-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-78-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-68-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/276-77-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-73-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/276-76-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/276-56-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1844-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download