bazarbackdoor | 7e49e00be1992fbc4ac14f2e5e3c05dccadf8fba3c3936357d8df7f146f5f0a3

Analysis

max time kernel
126s
max time network
129s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.871-Installer-1.0.6.exe
Size

23.7MB
MD5

49fb0f13cdb8d7cad1487889b6becced
SHA1

b71d98ec45e6f7314f0e33106485beef99b2ee7c
SHA256

7e49e00be1992fbc4ac14f2e5e3c05dccadf8fba3c3936357d8df7f146f5f0a3
SHA512

639fa23294556bf77080d420e7e1b5b7c07a8b1e93897c36a4f8e398c1c58de9b91636420102e68f6957c768793797728664e32dc38aa68315746882b4ebe1d9
SSDEEP

393216:XX921sp/n85Pfs/dQETVlOBbpFEj9GZ1GphRqV56Hpk7IXOzDnKI17fyV5:XN8s18hHExiTI3qqHp6zvKcfyV5

Score

10^/10

bazarbackdoor backdoor discovery upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 9 IoCs

resource	yara_rule
behavioral1/files/0x000600000001dabb-104.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001dabb-106.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001dac8-107.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001dac8-109.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001dac8-115.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001dac8-118.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001dac8-117.dat	BazarBackdoorVar3
behavioral1/files/0x000200000000f6f7-121.dat	BazarBackdoorVar3
behavioral1/files/0x000500000001dbec-137.dat	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	1652	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2020	irsetup.exe
964	AdditionalExecuteTL.exe
1972	irsetup.exe
1520	jre-windows.exe
1916	jre-windows.exe
644	installer.exe

Loads dropped DLL 27 IoCs

pid	Process
1260	TLauncher-2.871-Installer-1.0.6.exe
1260	TLauncher-2.871-Installer-1.0.6.exe
1260	TLauncher-2.871-Installer-1.0.6.exe
1260	TLauncher-2.871-Installer-1.0.6.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
964	AdditionalExecuteTL.exe
964	AdditionalExecuteTL.exe
964	AdditionalExecuteTL.exe
964	AdditionalExecuteTL.exe
1972	irsetup.exe
1972	irsetup.exe
1972	irsetup.exe
2020	irsetup.exe
1520	jre-windows.exe
1212	Process not Found
1212	Process not Found
340	MsiExec.exe
340	MsiExec.exe
340	MsiExec.exe
1652	msiexec.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000131aa-55.dat	upx
behavioral1/files/0x00090000000131aa-56.dat	upx
behavioral1/files/0x00090000000131aa-58.dat	upx
behavioral1/files/0x00090000000131aa-57.dat	upx
behavioral1/files/0x00090000000131aa-62.dat	upx
behavioral1/files/0x00090000000131aa-66.dat	upx
behavioral1/memory/2020-67-0x0000000001150000-0x0000000001538000-memory.dmp	upx
behavioral1/memory/2020-73-0x0000000001150000-0x0000000001538000-memory.dmp	upx
behavioral1/files/0x00090000000131aa-74.dat	upx
behavioral1/files/0x000400000001caec-83.dat	upx
behavioral1/files/0x000400000001caec-84.dat	upx
behavioral1/files/0x000400000001caec-86.dat	upx
behavioral1/files/0x000400000001caec-85.dat	upx
behavioral1/files/0x000400000001caec-91.dat	upx
behavioral1/files/0x000400000001caec-97.dat	upx
behavioral1/memory/1972-101-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/files/0x000400000001dc06-140.dat	upx
behavioral1/memory/1152-141-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000400000001dc06-142.dat	upx
behavioral1/files/0x000400000001dc06-145.dat	upx
behavioral1/files/0x000400000001dc06-144.dat	upx
behavioral1/files/0x000400000001dc06-146.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_351\installer.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6dd569.msi	msiexec.exe
File created	C:\Windows\Installer\6dd56b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF928.tmp	msiexec.exe
File created	C:\Windows\Installer\6dd569.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8E8.tmp	msiexec.exe
File created	C:\Windows\Installer\6dd56d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF35B.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F\jrecore	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_351\\\\bin\\javaws.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\PackageName = "jre1.8.0_35164.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\PackageCode = "97BA944EF7A3CCC4488541CAD6E00626"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1916	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1916	jre-windows.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	1916	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1916	jre-windows.exe
Token: SeLockMemoryPrivilege	1916	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1916	jre-windows.exe
Token: SeMachineAccountPrivilege	1916	jre-windows.exe
Token: SeTcbPrivilege	1916	jre-windows.exe
Token: SeSecurityPrivilege	1916	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1916	jre-windows.exe
Token: SeLoadDriverPrivilege	1916	jre-windows.exe
Token: SeSystemProfilePrivilege	1916	jre-windows.exe
Token: SeSystemtimePrivilege	1916	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1916	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1916	jre-windows.exe
Token: SeCreatePagefilePrivilege	1916	jre-windows.exe
Token: SeCreatePermanentPrivilege	1916	jre-windows.exe
Token: SeBackupPrivilege	1916	jre-windows.exe
Token: SeRestorePrivilege	1916	jre-windows.exe
Token: SeShutdownPrivilege	1916	jre-windows.exe
Token: SeDebugPrivilege	1916	jre-windows.exe
Token: SeAuditPrivilege	1916	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1916	jre-windows.exe
Token: SeChangeNotifyPrivilege	1916	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1916	jre-windows.exe
Token: SeUndockPrivilege	1916	jre-windows.exe
Token: SeSyncAgentPrivilege	1916	jre-windows.exe
Token: SeEnableDelegationPrivilege	1916	jre-windows.exe
Token: SeManageVolumePrivilege	1916	jre-windows.exe
Token: SeImpersonatePrivilege	1916	jre-windows.exe
Token: SeCreateGlobalPrivilege	1916	jre-windows.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
2020	irsetup.exe
1972	irsetup.exe
1972	irsetup.exe
1916	jre-windows.exe
1916	jre-windows.exe
1916	jre-windows.exe
1916	jre-windows.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1260 wrote to memory of 2020	1260	TLauncher-2.871-Installer-1.0.6.exe	28
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 2020 wrote to memory of 964	2020	irsetup.exe	31
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 964 wrote to memory of 1972	964	AdditionalExecuteTL.exe	32
PID 2020 wrote to memory of 1520	2020	irsetup.exe	34
PID 2020 wrote to memory of 1520	2020	irsetup.exe	34
PID 2020 wrote to memory of 1520	2020	irsetup.exe	34
PID 2020 wrote to memory of 1520	2020	irsetup.exe	34
PID 1520 wrote to memory of 1916	1520	jre-windows.exe	35
PID 1520 wrote to memory of 1916	1520	jre-windows.exe	35
PID 1520 wrote to memory of 1916	1520	jre-windows.exe	35
PID 1652 wrote to memory of 340	1652	msiexec.exe	39
PID 1652 wrote to memory of 340	1652	msiexec.exe	39
PID 1652 wrote to memory of 340	1652	msiexec.exe	39
PID 1652 wrote to memory of 340	1652	msiexec.exe	39
PID 1652 wrote to memory of 340	1652	msiexec.exe	39
PID 1652 wrote to memory of 644	1652	msiexec.exe	40
PID 1652 wrote to memory of 644	1652	msiexec.exe	40
PID 1652 wrote to memory of 644	1652	msiexec.exe	40

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe" "__IRCT:3" "__IRTSS:24870711" "__IRSID:S-1-5-21-1214520366-621468234-4062160515-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-1214520366-621468234-4062160515-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 5EA746B2DF4D242971332E78DCC92259
  2⤵
  - Loads dropped DLL
  PID:340
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  PID:644
- - C:\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
101.9MB

MD5
b2d0f38139bca86e0e96941cafe97e7f

SHA1
5336ec013d34483915cc9f62abddeca0d01afa34

SHA256
9a4169d362bbe55ed27bff53e988cdfb028fc13ce009f791af7d53473e55b608

SHA512
779de1138d3b3023122aadda67bb77b48b8f345d4f54493e8f999886c9276df5a5c6fc5840235a350c9fcbd57226859d7f2e4d59e97fcebf5f7a63d5552d8a14

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\baseimagefam8

Filesize
46.1MB

MD5
0e005e45013892ab4f4673dd55451853

SHA1
66dc44d049d229f8a65705960e0d397fa3e471cd

SHA256
7ee8ef13d548dd9116fcee44d8cd52674d44c6d48cdded557eb0e45b921e2d46

SHA512
9ea1a9fe4f7d3005a675850a4b84e8d6bc4ca2ca9e518ee9f4bbc02bc4e523c955b37c5319b0de2dbf48dd96d12792e400d47bd46598b38823d3bca39825badc

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\diff

Filesize
45.9MB

MD5
8865e18f295e66ba50e74361b3aa59e6

SHA1
a3881ffdcbc2f7f9bdfd31f0200dc298ae57a784

SHA256
d9ef8e3c300311bcb942d41ca57b3ffc38ecddaa4a690cc0cfacd3f010827fe1

SHA512
34703b6511f42d6538c7182dfead6f96cbf994febee556c360c58b94a46196bed7415d92c3686250d96eb1e211c349ccac30d0eed0b69ed3ef0d6c31ec2ef875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
dfe513d54b6e0521ac2adb089eceef04

SHA1
a149214a46b7909c36edb90527de69de4f70d9a8

SHA256
7cb878b60608be35a23719e78e10c1270c908f724fde44d812e3fc703037298b

SHA512
58aac2ce5ec39ef906477a79017259fe0e922c6672b64dd9df0ba977e46b98cfb4633b0886084e17e5304988f29854679b5c56a622121c473b2b6440bcabe0bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10433856ece6f32591c41a2848c6bb88

SHA1
2dbca31b6f589aef9a4de57dc46702a1aa701213

SHA256
60f3c32164c476c0f3931a8fc89625e66caf109bb8d1d7b707e6aa4155e4330c

SHA512
fbcbcf6295f6e9c137ee0cee08fd923603acd3caaf2f7371020bb6e47a6714820744de34fa1982d2f083c476fde51c362f7284a591ba6a13bca3746a2410dd4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
c04653c2b993b28fd8c9390526de91dd

SHA1
87f0057b041b9efffefe39c133454f297d4eb3fd

SHA256
7c155a73970769f22217274abaaf00c8031a0858d3ab230e23dba70c919ce188

SHA512
5d3ddcb1fafc138e4a74a8540d5702a88b77aebbbd721423bf57fd3e3040d27e88ebf68a073b364bd8de2961b319fe02ee7875d6f50df8f7822981fa2f7bf14e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5c85ae1b45f67b993f3f77f2c5771885

SHA1
ca482229b0209b440623fadd2d9f87435af4ac63

SHA256
e952601a4c2fca62392a3eaa17c03fd1c08786f0f200c84ea73a6d99e613cf64

SHA512
ae215d68fbd885268deca7cb580bf882cf1be675265908dfc7edc7bac9d04a35f465bfd6ac7ba00e9b016f29139d672d264513d2a0afb0664db61ec4943a2cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
74d34e7c6f68b393f9364470d85940ce

SHA1
cb616a623e4ac4fc541ebd59c91e418cc9bbacf2

SHA256
5c2eed368e9332ac0e9c37df70e85cd973d50739948f7bb395ac6e8dbf0cc435

SHA512
07331ab81984e14217ddfaa78bd8d76a91ba255f894d80f8cd106d66bdabc891ba1692bb760b0efb9711cdc9277e4919a1bbef7b09e65b4a3debe5c333edf5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
26KB

MD5
5959e3481fdb30c249c12e49c020bd54

SHA1
ef6779daa4d9ab204bf7e798fa9ce83131255522

SHA256
2e39593264ec338f289fdb3a427e3e6b9ba7efe13b48c1f28da39d322df46f05

SHA512
5e30c5da451b8c201b0d20464390b605f3b6010ec425ce45f7fe73c03a9501e2307b6655ed06475bf2fd1133b50b0be22461d8e1d68944370dafec1af62e2244

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
39KB

MD5
1bf4ec9050493d95a629072630d778d0

SHA1
1905363a54b5338b0bc1637f3202db58828a34d7

SHA256
e0e47e8461818cef7796fb7d14498a07a1c86f7054aa5e78e774831ed8253445

SHA512
4c7faeeeb892912d0a96788841da6a7edb640b886bcda0baeb948befcec18c0dc183571c6236524a1a2c52c48c3ab2ceca915cf119623dd774b35306430c88f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
603B

MD5
335220db00f4890ce99ea7dd6cec2bdf

SHA1
1b02d6e1fe82768294e563dbe0ee59010ed5f9d6

SHA256
fdd7b3eddc58ccfea23d17956e0082f22ac4c1fb1676a3e4d7e65e89b61a4ab3

SHA512
db44ebf9be31805b8f7b143950933a18eb34070f5b7b669cd18e78fc368f70fce30878709675c46353491d9feda4a54148a20b454d6850796eff740cfd6ca88f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VT583FLA.txt

Filesize
869B

MD5
3157a075b291210f4eaab56063ecb829

SHA1
6dcb8e04abe16ba56bc5e464febf7fb107907a88

SHA256
125544f8ed5e9952756cd23388a53d21da89ffc64047d98d8b7ed90744556ca7

SHA512
b389e08fc8578a2b352e5b17349d7bfef15a5e96854cfb22ccd1066bf6c7319dd584edc11249be7c4b918d9f085c324747e84db356c7146096a8a56339f49d2e

Download Submit
C:\Windows\Installer\6dd56d.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSIF35B.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIF5CC.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIF928.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
104.4MB

MD5
cd6322035af08ca71449d1bb04d924b9

SHA1
5ca20509aaa83d466787a64d803ee25a31d8a17d

SHA256
e3b805b4df77d97043c0f5a9e0b12491f8b874d623a577f037cb2fbee66b2f25

SHA512
6e51487272f09f7c7687e03f8a206c5797446d6de75e24501986577076ef0c4fe9c74f7e9d69ff7e0b562ff2ee0b17e85550b641f3db8bb29985bd556d45b96f

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7210288.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7152443.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSIF35B.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIF5CC.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIF928.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/964-93-0x0000000002AF0000-0x0000000002ED8000-memory.dmp

Filesize
3.9MB

Download
memory/964-89-0x0000000002AF0000-0x0000000002ED8000-memory.dmp

Filesize
3.9MB

Download
memory/964-90-0x0000000002AF0000-0x0000000002ED8000-memory.dmp

Filesize
3.9MB

Download
memory/964-95-0x0000000002AF0000-0x0000000002ED8000-memory.dmp

Filesize
3.9MB

Download
memory/1152-151-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1152-150-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1152-149-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1152-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1260-59-0x0000000002CB0000-0x0000000003098000-memory.dmp

Filesize
3.9MB

Download
memory/1260-60-0x0000000002CB0000-0x0000000003098000-memory.dmp

Filesize
3.9MB

Download
memory/1260-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1260-72-0x0000000002CB0000-0x0000000003098000-memory.dmp

Filesize
3.9MB

Download
memory/1916-110-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/1972-101-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/2020-70-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2020-73-0x0000000001150000-0x0000000001538000-memory.dmp

Filesize
3.9MB

Download
memory/2020-103-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2020-87-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2020-71-0x0000000000490000-0x00000000004BC000-memory.dmp

Filesize
176KB

Download
memory/2020-138-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2020-67-0x0000000001150000-0x0000000001538000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads