bazarbackdoor | 122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb

Analysis

max time kernel
269s
max time network
301s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
31/12/2022, 16:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LauncherFenix-Minecraft-v7.exe
Size

397KB
MD5

d99bb55b57712065bc88be297c1da38c
SHA1

fb6662dd31e8e5be380fbd7a33a50a45953fe1e7
SHA256

122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb
SHA512

3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17
SSDEEP

3072:puzvch1rugYc4wqYSRR756K7ItBjgXHUYCnlK:Wch1aIqYSRVM+unlK

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 11 IoCs

resource	yara_rule
behavioral1/files/0x000700000001adf8-325.dat	BazarBackdoorVar3
behavioral1/files/0x000700000001adf8-326.dat	BazarBackdoorVar3
behavioral1/files/0x0008000000000695-329.dat	BazarBackdoorVar3
behavioral1/files/0x0008000000000695-328.dat	BazarBackdoorVar3
behavioral1/files/0x000400000000069b-332.dat	BazarBackdoorVar3
behavioral1/files/0x000400000000069b-333.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001ae09-336.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001ae09-337.dat	BazarBackdoorVar3
behavioral1/files/0x000400000000069b-339.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001ae0d-342.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001ae0d-343.dat	BazarBackdoorVar3

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1188	LauncherFenix-Minecraft-v7.exe
2688	LauncherFenix-Minecraft-v7.exe
2880	jre-8u351-windows-x64.exe
4672	jre-8u351-windows-x64.exe
1144	jre-8u351-windows-x64(1).exe
3272	jre-8u351-windows-x64(1).exe
3376	jre-8u351-windows-x64(1).exe
3924	jre-8u351-windows-x64(1).exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	GamePanel.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	firefox.exe
Token: SeDebugPrivilege	1832	firefox.exe
Token: SeDebugPrivilege	1832	firefox.exe
Token: SeDebugPrivilege	1832	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
888	javaw.exe
888	javaw.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
4868	javaw.exe
4868	javaw.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1432	javaw.exe
1432	javaw.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
4672	jre-8u351-windows-x64.exe
4672	jre-8u351-windows-x64.exe
4672	jre-8u351-windows-x64.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
1832	firefox.exe
3272	jre-8u351-windows-x64(1).exe
3924	jre-8u351-windows-x64(1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 888	4472	LauncherFenix-Minecraft-v7.exe	66
PID 4472 wrote to memory of 888	4472	LauncherFenix-Minecraft-v7.exe	66
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 4624 wrote to memory of 1832	4624	firefox.exe	72
PID 1832 wrote to memory of 3336	1832	firefox.exe	74
PID 1832 wrote to memory of 3336	1832	firefox.exe	74
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4568	1832	firefox.exe	76
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77
PID 1832 wrote to memory of 4840	1832	firefox.exe	77

C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe
"C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:888

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4824

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000030118 /startuptips
1⤵
PID:1332

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:1116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1832.0.437461767\1430396563" -parentBuildID 20200403170909 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1832 "\\.\pipe\gecko-crash-server-pipe.1832" 1608 gpu
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1832.3.472598578\407143414" -childID 1 -isForBrowser -prefsHandle 2288 -prefMapHandle 2280 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1832 "\\.\pipe\gecko-crash-server-pipe.1832" 2324 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1832.13.1744796381\949381584" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1832 "\\.\pipe\gecko-crash-server-pipe.1832" 3452 tab
    3⤵
    PID:4840

C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe
"C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe"
1⤵
- Executes dropped EXE
PID:1188
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4868

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4040

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000040054 /startuptips
1⤵
- Checks SCSI registry key(s)
PID:1316

C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe
"C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe"
1⤵
- Executes dropped EXE
PID:2688
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1432

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:1896

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 000000000006005C /startuptips
1⤵
PID:3472

C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"
1⤵
- Executes dropped EXE
PID:2880
- C:\Users\Admin\AppData\Local\Temp\jds240764859.tmp\jre-8u351-windows-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240764859.tmp\jre-8u351-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4672

C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe
"C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe"
1⤵
- Executes dropped EXE
PID:1144
- C:\Users\Admin\AppData\Local\Temp\jds240800062.tmp\jre-8u351-windows-x64(1).exe
  "C:\Users\Admin\AppData\Local\Temp\jds240800062.tmp\jre-8u351-windows-x64(1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3272

C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe
"C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe"
1⤵
- Executes dropped EXE
PID:3376
- C:\Users\Admin\AppData\Local\Temp\jds240806343.tmp\jre-8u351-windows-x64(1).exe
  "C:\Users\Admin\AppData\Local\Temp\jds240806343.tmp\jre-8u351-windows-x64(1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
d62c8236bfd6d8524269afdd26460a54

SHA1
93be24772e4426e73dc3d67821765205d87d6158

SHA256
b9582f4b32e4454e32fd57805d0518d9306542cb2734b773ea22671ac0594b99

SHA512
c9cbd69051d27f46885b694ec8d77efdcb6fe0ccea647a7d7fc8f92b05d7ea3eab601640df0b38481e5e4304c31ef051c0ac876895956579890a60d99ac87c8f

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
82c698789470bba13561c9888947faff

SHA1
cd8ff8b45901300dc51d5dd3e3a033e7b93347c0

SHA256
b9c20de5d38b8bcd5282da947021223d256c4334a2dde3af0333f358da84456e

SHA512
97699df1a1686051d75b31667723ff089b5f757d4130e90fee8d35eb4e6c5ea2180dd7184214c6de85b6e7a0a8d10ae96dbb0e704958b6e37bd8e72b8e5663b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240764859.tmp\jre-8u351-windows-x64.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240764859.tmp\jre-8u351-windows-x64.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240800062.tmp\jre-8u351-windows-x64(1).exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240800062.tmp\jre-8u351-windows-x64(1).exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240806343.tmp\jre-8u351-windows-x64(1).exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240806343.tmp\jre-8u351-windows-x64(1).exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
b511c01bf04502f71073c9ccbd55e19d

SHA1
125984f4c888116539320a1d621d53ee8ce00c23

SHA256
1b181eab4089410aa26e5c8382cb61a6c235370275d12e05cf3d233de93bfa34

SHA512
574f8405f1b626dd39dd37e47f370895cacb62c9bf91e7d8ff970784b2526c158babd0b75d6be8f806f3789d2e32f5a400742b4d5e17763fda52ba5658bbc893

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
285KB

MD5
bc65b94b8942d62991b051d82718c635

SHA1
edeeafc09d37232f5494e8bb2cfcfbb643d53bcc

SHA256
44795c3f5097b0016ba68ccfc8ec850d6bbbb59251ebfda5e9b999b2b26fed62

SHA512
f54eb70488a98f78ce044b364e7d1f36f07e6b5a937b942185a5cb40645592660da6a5812ee74ad6752d7fa929a774db2239a15f011e8bd009bfba7b2dcb9a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
286KB

MD5
2fbaa72b116599e049be48251b04fb9d

SHA1
fc0e1de094c4581eafb43ca52b35ced6ba058d05

SHA256
cd25f42d2bb649bdd619a79b126d81e95b2d8dc375e56854dae77383383c4db4

SHA512
ee96b71868e3838640b988e46c423dc4ac46c52d584cbd4e95680a19b8d86336c8f857d31f0e3e370c5bc708966e2b18e8954d122a76c888170b801c1dfc5fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
287KB

MD5
6efe3e0e9d2775d977a0e891b51a356e

SHA1
8af119b0aa0f67049315da6abea3f48b97f2c63e

SHA256
2f56def8b075647ef114a95190ae64ab0bd44e7c1fc9ae68ae4c15344b349a39

SHA512
d786df0720820415e8d2945f57fe720cd88fe76424057cb3988966292d5324717a776694a5ad59e007a8e01966bad2a928da14a15a0918edfa529511db4bb1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
288KB

MD5
4dcd4c6e357d23f22ef1eada67370850

SHA1
f94adcd3632a9f3ae8f4ffe3d17176955b1afccb

SHA256
cdf1b1e3eb6e284cf27296b5c7d87df8182ec42cf12903ad30ccd4ad8b3ae45c

SHA512
b6918561444f7fca4f650d2aa9c4eedbf0cdccff60cb39350d3f42bfdd4a87518cfa1ed571d0e058b1e91a85ebfe3512a181c2a06dd565346a4fac197b4ee68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
310KB

MD5
457cba3fd6b9829d773c8d02f7b551ca

SHA1
62a75d9d0ade32b82337998c7c6f60d8a091a756

SHA256
a7f124fec41cab82b8d283d5a73507b52c26bee21db140223f0dd5d984e10f67

SHA512
0f4a257362815bfcb57039595422356794097494cda621b1c41d1e1f60f11b25ec85183e2f0a643ba150395d1fc9c546518113e507c637366af115ab7ee4f77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
310KB

MD5
457cba3fd6b9829d773c8d02f7b551ca

SHA1
62a75d9d0ade32b82337998c7c6f60d8a091a756

SHA256
a7f124fec41cab82b8d283d5a73507b52c26bee21db140223f0dd5d984e10f67

SHA512
0f4a257362815bfcb57039595422356794097494cda621b1c41d1e1f60f11b25ec85183e2f0a643ba150395d1fc9c546518113e507c637366af115ab7ee4f77e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3844063266-715245855-4050956231-1000\83aa4cc77f591dfc2374580bbd95f6ba_fb683904-d935-4145-88dd-4a05f296c648

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe

Filesize
397KB

MD5
d99bb55b57712065bc88be297c1da38c

SHA1
fb6662dd31e8e5be380fbd7a33a50a45953fe1e7

SHA256
122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb

SHA512
3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17

Download Submit
C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe

Filesize
397KB

MD5
d99bb55b57712065bc88be297c1da38c

SHA1
fb6662dd31e8e5be380fbd7a33a50a45953fe1e7

SHA256
122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb

SHA512
3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17

Download Submit
C:\Users\Admin\Downloads\LauncherFenix-Minecraft-v7.exe

Filesize
397KB

MD5
d99bb55b57712065bc88be297c1da38c

SHA1
fb6662dd31e8e5be380fbd7a33a50a45953fe1e7

SHA256
122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb

SHA512
3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17

Download Submit
C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe

Filesize
63.5MB

MD5
562178803306580a156359563d9ab1ae

SHA1
47881b007d86a7794d83133523988997be675f3f

SHA256
53e4a48d164a0c8061b9c57398414d07cc7738bb9978a3ddbbb251323f311f67

SHA512
c63c950b4dfde214eddf6dba7583c9b8839307029d87807559a60cfe2346434546c764108720468939475f72ec065a70d80ba41a846f99429b1acfd50ab7943e

Download Submit
C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\Downloads\jre-8u351-windows-x64(1).exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/888-173-0x0000000002370000-0x0000000003370000-memory.dmp

Filesize
16.0MB

Download
memory/1188-189-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-184-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-178-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-179-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-194-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-193-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-192-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-191-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-180-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-182-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-186-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-187-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-188-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-190-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-183-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1188-181-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1432-320-0x0000000002C50000-0x0000000003C50000-memory.dmp

Filesize
16.0MB

Download
memory/4472-159-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-145-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-115-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-139-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-161-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-160-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-141-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-158-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-157-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-156-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-154-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-155-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-140-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-152-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-153-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-150-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-151-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-149-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-148-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-147-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-146-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-116-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-138-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-117-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-137-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-118-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-119-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-136-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-162-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-135-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-144-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-134-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-133-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-132-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-120-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-131-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-129-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-130-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-128-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-127-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-126-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-125-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-143-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-124-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-123-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-122-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-121-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-142-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-259-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

Filesize
16.0MB

Download
memory/4868-254-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

Filesize
16.0MB

Download
memory/4868-237-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads