healer | 4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe
Size

1.0MB
MD5

e3f57f81f0bee6248362e748bc8ef479
SHA1

3334bafd4c1f379e950feb5e6d447e645ed6bd48
SHA256

4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a
SHA512

9c1a777ffd78652c9c049040e242e5aa5a4db9c9c41e69b518c4c5faac3f57d15c802c2af2bbce6d34fdf09d539aaf5abdba9ed25bc3e0b270e4b7f5115d6e2a
SSDEEP

24576:my9KsyXuBDaA+/eznvjY4PdHbVKUyd1uVKEjw:19KVsaA+2znrY4P9RKPdYbj

Score

10^/10

healer mystic dropper evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-64-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2492-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2492-68-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2492-71-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2492-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2492-75-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe	healer
behavioral1/memory/2740-48-0x0000000000120000-0x000000000012A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q5155381.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5155381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5155381.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q5155381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5155381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5155381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5155381.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Executes dropped EXE 6 IoCs

Processes:

z8174486.exez1190423.exez9287979.exez9058040.exeq5155381.exer6967327.exe

pid process

2012 z8174486.exe
3048 z1190423.exe
2668 z9287979.exe
2540 z9058040.exe
2740 q5155381.exe
2456 r6967327.exe

pid	process
2012	z8174486.exe
3048	z1190423.exe
2668	z9287979.exe
2540	z9058040.exe
2740	q5155381.exe
2456	r6967327.exe

Loads dropped DLL 16 IoCs

Processes:

4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exez8174486.exez1190423.exez9287979.exez9058040.exer6967327.exeWerFault.exe

pid	process
2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe
2012	z8174486.exe
2012	z8174486.exe
3048	z1190423.exe
3048	z1190423.exe
2668	z9287979.exe
2668	z9287979.exe
2540	z9058040.exe
2540	z9058040.exe
2540	z9058040.exe
2540	z9058040.exe
2456	r6967327.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

q5155381.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	q5155381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5155381.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z9058040.exe4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exez8174486.exez1190423.exez9287979.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9058040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8174486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1190423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9287979.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

r6967327.exe

description pid process target process

PID 2456 set thread context of 2492 2456 r6967327.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2476 2456 WerFault.exe r6967327.exe
2920 2492 WerFault.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q5155381.exe

pid process

2740 q5155381.exe
2740 q5155381.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q5155381.exe

description pid process

Token: SeDebugPrivilege 2740 q5155381.exe

description	pid	process	target process
PID 2456 set thread context of 2492	2456	r6967327.exe	AppLaunch.exe

pid	pid_target	process	target process
2476	2456	WerFault.exe	r6967327.exe
2920	2492	WerFault.exe	AppLaunch.exe

pid	process
2740	q5155381.exe
2740	q5155381.exe

description	pid	process
Token: SeDebugPrivilege	2740	q5155381.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exez8174486.exez1190423.exez9287979.exez9058040.exer6967327.exeAppLaunch.exe

description	pid	process	target process
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2244 wrote to memory of 2012	2244	4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe	z8174486.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 2012 wrote to memory of 3048	2012	z8174486.exe	z1190423.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 3048 wrote to memory of 2668	3048	z1190423.exe	z9287979.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2668 wrote to memory of 2540	2668	z9287979.exe	z9058040.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2740	2540	z9058040.exe	q5155381.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2540 wrote to memory of 2456	2540	z9058040.exe	r6967327.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2456 wrote to memory of 2492	2456	r6967327.exe	AppLaunch.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2492 wrote to memory of 2920	2492	AppLaunch.exe	WerFault.exe
PID 2456 wrote to memory of 2476	2456	r6967327.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe
"C:\Users\Admin\AppData\Local\Temp\4b1c2c08374e5309bc1244864d95c6a2454311dc97beb634345be450dea8eb2a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8174486.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8174486.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1190423.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1190423.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9287979.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9287979.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9058040.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9058040.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 268
8⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 276
7⤵
- Loads dropped DLL
- Program crash
PID:2476

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8174486.exe
Filesize
972KB

MD5
1b7c236da6e32c77062d4abde16b69a8

SHA1
a8a0cbc97b1fba795dcd578f8656b247066a44d5

SHA256
ae4bc95704aa5cef24e13a5de769d36e5f469f6af3c96846b4368a3a65f6cb09

SHA512
ae9a96a80fd76c0e52583ab070657cdc5bcad4d7221167c3d812d8ae5f8d09acb8d79b42e4a34cbc367e64aeadbd7a71fd0fa0b6811602ac0e2b8db03c71d392

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8174486.exe
Filesize
972KB

MD5
1b7c236da6e32c77062d4abde16b69a8

SHA1
a8a0cbc97b1fba795dcd578f8656b247066a44d5

SHA256
ae4bc95704aa5cef24e13a5de769d36e5f469f6af3c96846b4368a3a65f6cb09

SHA512
ae9a96a80fd76c0e52583ab070657cdc5bcad4d7221167c3d812d8ae5f8d09acb8d79b42e4a34cbc367e64aeadbd7a71fd0fa0b6811602ac0e2b8db03c71d392

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1190423.exe
Filesize
789KB

MD5
38c6ae39e475b6cd8793f1d7596944eb

SHA1
8eeb513a6e662c212d475a201ebb3858ad52018c

SHA256
4f841f725951c25588c8654e49eb3c5673cf66ec789e7f74b2854b4d0ebfe307

SHA512
4cc7e40e632c008c070fc4653a132b071821efee823994dc82430da0f72faada92a16fd78b36c577c442af29a78c66daf3d476d718cd19bc93fe381892bdef4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1190423.exe
Filesize
789KB

MD5
38c6ae39e475b6cd8793f1d7596944eb

SHA1
8eeb513a6e662c212d475a201ebb3858ad52018c

SHA256
4f841f725951c25588c8654e49eb3c5673cf66ec789e7f74b2854b4d0ebfe307

SHA512
4cc7e40e632c008c070fc4653a132b071821efee823994dc82430da0f72faada92a16fd78b36c577c442af29a78c66daf3d476d718cd19bc93fe381892bdef4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9287979.exe
Filesize
607KB

MD5
c43bb892472dd1e237867c34e69a6939

SHA1
3624d89385f703b2129404d31e0f9ec453db5945

SHA256
be4ad37131de8cc92aa520771e2c1d9f3b2a0a6a12c357d18c35ce0b12730744

SHA512
42a9564fdfc167f829c4050c57366103b8ff117abf9302afa1e2163ffceee8c21d05e38a1e698854cdef39b697c27c797cfef8602fac7ac0b5ce0a4f177e93a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9287979.exe
Filesize
607KB

MD5
c43bb892472dd1e237867c34e69a6939

SHA1
3624d89385f703b2129404d31e0f9ec453db5945

SHA256
be4ad37131de8cc92aa520771e2c1d9f3b2a0a6a12c357d18c35ce0b12730744

SHA512
42a9564fdfc167f829c4050c57366103b8ff117abf9302afa1e2163ffceee8c21d05e38a1e698854cdef39b697c27c797cfef8602fac7ac0b5ce0a4f177e93a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9058040.exe
Filesize
336KB

MD5
1b3f7cb90f9bb46c39e024199fa016b3

SHA1
90579ac69bf26e526ebc319bb65ba01cb4768c24

SHA256
a0f85ffa2bf4db4d0d8f2571ab91184af7b58116bf71e23944c05e35fb643ecb

SHA512
fda8c0dab446422ffc09f15a8dc9efea7b72596deadad570b39bd74c84859c280aae431f71e4267a373bac40ddfced0df834424162d9e6f95997e5f9719d5f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9058040.exe
Filesize
336KB

MD5
1b3f7cb90f9bb46c39e024199fa016b3

SHA1
90579ac69bf26e526ebc319bb65ba01cb4768c24

SHA256
a0f85ffa2bf4db4d0d8f2571ab91184af7b58116bf71e23944c05e35fb643ecb

SHA512
fda8c0dab446422ffc09f15a8dc9efea7b72596deadad570b39bd74c84859c280aae431f71e4267a373bac40ddfced0df834424162d9e6f95997e5f9719d5f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe
Filesize
11KB

MD5
ca1b3291440c7e7bd61989c06eddc378

SHA1
68835b0590783f4031d7f50bc5523862b4ff366e

SHA256
620d54aacdcd97d378965840455a89b934bcd4c04b91c2e38a19387594d7a232

SHA512
4863fb12a4e19b9e2deb1291b4e9c7a9abf7a5ce758d7301ed67cc77e374723e770252dc3d44f842b5a014ff2b3362e0714dcdbf4fc642e8a3747729ff8fb969

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe
Filesize
11KB

MD5
ca1b3291440c7e7bd61989c06eddc378

SHA1
68835b0590783f4031d7f50bc5523862b4ff366e

SHA256
620d54aacdcd97d378965840455a89b934bcd4c04b91c2e38a19387594d7a232

SHA512
4863fb12a4e19b9e2deb1291b4e9c7a9abf7a5ce758d7301ed67cc77e374723e770252dc3d44f842b5a014ff2b3362e0714dcdbf4fc642e8a3747729ff8fb969

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8174486.exe
Filesize
972KB

MD5
1b7c236da6e32c77062d4abde16b69a8

SHA1
a8a0cbc97b1fba795dcd578f8656b247066a44d5

SHA256
ae4bc95704aa5cef24e13a5de769d36e5f469f6af3c96846b4368a3a65f6cb09

SHA512
ae9a96a80fd76c0e52583ab070657cdc5bcad4d7221167c3d812d8ae5f8d09acb8d79b42e4a34cbc367e64aeadbd7a71fd0fa0b6811602ac0e2b8db03c71d392

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8174486.exe
Filesize
972KB

MD5
1b7c236da6e32c77062d4abde16b69a8

SHA1
a8a0cbc97b1fba795dcd578f8656b247066a44d5

SHA256
ae4bc95704aa5cef24e13a5de769d36e5f469f6af3c96846b4368a3a65f6cb09

SHA512
ae9a96a80fd76c0e52583ab070657cdc5bcad4d7221167c3d812d8ae5f8d09acb8d79b42e4a34cbc367e64aeadbd7a71fd0fa0b6811602ac0e2b8db03c71d392

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1190423.exe
Filesize
789KB

MD5
38c6ae39e475b6cd8793f1d7596944eb

SHA1
8eeb513a6e662c212d475a201ebb3858ad52018c

SHA256
4f841f725951c25588c8654e49eb3c5673cf66ec789e7f74b2854b4d0ebfe307

SHA512
4cc7e40e632c008c070fc4653a132b071821efee823994dc82430da0f72faada92a16fd78b36c577c442af29a78c66daf3d476d718cd19bc93fe381892bdef4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1190423.exe
Filesize
789KB

MD5
38c6ae39e475b6cd8793f1d7596944eb

SHA1
8eeb513a6e662c212d475a201ebb3858ad52018c

SHA256
4f841f725951c25588c8654e49eb3c5673cf66ec789e7f74b2854b4d0ebfe307

SHA512
4cc7e40e632c008c070fc4653a132b071821efee823994dc82430da0f72faada92a16fd78b36c577c442af29a78c66daf3d476d718cd19bc93fe381892bdef4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9287979.exe
Filesize
607KB

MD5
c43bb892472dd1e237867c34e69a6939

SHA1
3624d89385f703b2129404d31e0f9ec453db5945

SHA256
be4ad37131de8cc92aa520771e2c1d9f3b2a0a6a12c357d18c35ce0b12730744

SHA512
42a9564fdfc167f829c4050c57366103b8ff117abf9302afa1e2163ffceee8c21d05e38a1e698854cdef39b697c27c797cfef8602fac7ac0b5ce0a4f177e93a4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9287979.exe
Filesize
607KB

MD5
c43bb892472dd1e237867c34e69a6939

SHA1
3624d89385f703b2129404d31e0f9ec453db5945

SHA256
be4ad37131de8cc92aa520771e2c1d9f3b2a0a6a12c357d18c35ce0b12730744

SHA512
42a9564fdfc167f829c4050c57366103b8ff117abf9302afa1e2163ffceee8c21d05e38a1e698854cdef39b697c27c797cfef8602fac7ac0b5ce0a4f177e93a4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9058040.exe
Filesize
336KB

MD5
1b3f7cb90f9bb46c39e024199fa016b3

SHA1
90579ac69bf26e526ebc319bb65ba01cb4768c24

SHA256
a0f85ffa2bf4db4d0d8f2571ab91184af7b58116bf71e23944c05e35fb643ecb

SHA512
fda8c0dab446422ffc09f15a8dc9efea7b72596deadad570b39bd74c84859c280aae431f71e4267a373bac40ddfced0df834424162d9e6f95997e5f9719d5f54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9058040.exe
Filesize
336KB

MD5
1b3f7cb90f9bb46c39e024199fa016b3

SHA1
90579ac69bf26e526ebc319bb65ba01cb4768c24

SHA256
a0f85ffa2bf4db4d0d8f2571ab91184af7b58116bf71e23944c05e35fb643ecb

SHA512
fda8c0dab446422ffc09f15a8dc9efea7b72596deadad570b39bd74c84859c280aae431f71e4267a373bac40ddfced0df834424162d9e6f95997e5f9719d5f54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5155381.exe
Filesize
11KB

MD5
ca1b3291440c7e7bd61989c06eddc378

SHA1
68835b0590783f4031d7f50bc5523862b4ff366e

SHA256
620d54aacdcd97d378965840455a89b934bcd4c04b91c2e38a19387594d7a232

SHA512
4863fb12a4e19b9e2deb1291b4e9c7a9abf7a5ce758d7301ed67cc77e374723e770252dc3d44f842b5a014ff2b3362e0714dcdbf4fc642e8a3747729ff8fb969

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6967327.exe
Filesize
356KB

MD5
6667add29b0684453f736dd4568950cb

SHA1
c4b4d02aa4e51e0a624d7ea583ca32c9086672ba

SHA256
2f76103e70c647b86176c509ebfcb566e3989ed781bb2b3a3869e278f3954623

SHA512
162800e46fc74c62dd51a85d32f9a57aa41e6772afa04acf89c2476b7b3071c77a67924cc524bc4c1073dee6063b5484ffc0243d648d4bc44da4943ac1ee5565

Download Submit
memory/2492-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-70-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-71-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2492-75-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2740-51-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-50-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-49-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-48-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads