healer | d69958c38bd04cd3b71d6e43032fb8466ffc5f7cf90d524120bfd23f9337cc8e

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b052f5ef3dfebe20d00b345c6424292b.exe
Size

1.1MB
MD5

b052f5ef3dfebe20d00b345c6424292b
SHA1

2be5429aa5b38d7c7cb080b8bc07d9e99d50733d
SHA256

d69958c38bd04cd3b71d6e43032fb8466ffc5f7cf90d524120bfd23f9337cc8e
SHA512

6774ac2bcfd6af0ff96fbfd57feef1c839d216499cf0fc59d47327abe81e5d7e66e2939e4512b546c75c37260aee212904595447823cd90b6a8570083c1f5d77
SSDEEP

24576:Dyn30OXWeLe8swWolpYWrvy01mihz8ELKrBsmoXUe+j:W3P68HWol6WTyZ9rBfe+

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2604-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z6274385.exez3684189.exez9197332.exez4709113.exeq2508315.exe

pid process

2312 z6274385.exe
1208 z3684189.exe
1624 z9197332.exe
2292 z4709113.exe
2076 q2508315.exe

pid	process
2312	z6274385.exe
1208	z3684189.exe
1624	z9197332.exe
2292	z4709113.exe
2076	q2508315.exe

Loads dropped DLL 15 IoCs

Processes:

b052f5ef3dfebe20d00b345c6424292b.exez6274385.exez3684189.exez9197332.exez4709113.exeq2508315.exeWerFault.exe

pid	process
1692	b052f5ef3dfebe20d00b345c6424292b.exe
2312	z6274385.exe
2312	z6274385.exe
1208	z3684189.exe
1208	z3684189.exe
1624	z9197332.exe
1624	z9197332.exe
2292	z4709113.exe
2292	z4709113.exe
2292	z4709113.exe
2076	q2508315.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z4709113.exeb052f5ef3dfebe20d00b345c6424292b.exez6274385.exez3684189.exez9197332.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4709113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b052f5ef3dfebe20d00b345c6424292b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6274385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3684189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9197332.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q2508315.exe

description pid process target process

PID 2076 set thread context of 2604 2076 q2508315.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2656 2076 WerFault.exe q2508315.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2604 AppLaunch.exe
2604 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2604 AppLaunch.exe

description	pid	process	target process
PID 2076 set thread context of 2604	2076	q2508315.exe	AppLaunch.exe

pid	pid_target	process	target process
2656	2076	WerFault.exe	q2508315.exe

pid	process
2604	AppLaunch.exe
2604	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2604	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

b052f5ef3dfebe20d00b345c6424292b.exez6274385.exez3684189.exez9197332.exez4709113.exeq2508315.exe

description	pid	process	target process
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 1692 wrote to memory of 2312	1692	b052f5ef3dfebe20d00b345c6424292b.exe	z6274385.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 2312 wrote to memory of 1208	2312	z6274385.exe	z3684189.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1208 wrote to memory of 1624	1208	z3684189.exe	z9197332.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 1624 wrote to memory of 2292	1624	z9197332.exe	z4709113.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2292 wrote to memory of 2076	2292	z4709113.exe	q2508315.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2604	2076	q2508315.exe	AppLaunch.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe
PID 2076 wrote to memory of 2656	2076	q2508315.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b052f5ef3dfebe20d00b345c6424292b.exe
"C:\Users\Admin\AppData\Local\Temp\b052f5ef3dfebe20d00b345c6424292b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6274385.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6274385.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3684189.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3684189.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9197332.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9197332.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4709113.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4709113.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 276
7⤵
- Loads dropped DLL
- Program crash
PID:2656

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6274385.exe
Filesize
982KB

MD5
4e405adb7bd96b12436cec1e0faaa63a

SHA1
9f5c6cfbb1bef9d2ae488532977b553e38f6df9f

SHA256
75306cbf4743cddfb7955fe51dd38c603df4b1fe11c4f021826d78ceee91afcb

SHA512
33ed7f310d5aa6fbf8ddb82c95db9f54920a380e9876231c763f7c07a19d1578a8a0d6352470191b55baf09ae0f7f541e6a48782459092e20b4f0dc042887571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6274385.exe
Filesize
982KB

MD5
4e405adb7bd96b12436cec1e0faaa63a

SHA1
9f5c6cfbb1bef9d2ae488532977b553e38f6df9f

SHA256
75306cbf4743cddfb7955fe51dd38c603df4b1fe11c4f021826d78ceee91afcb

SHA512
33ed7f310d5aa6fbf8ddb82c95db9f54920a380e9876231c763f7c07a19d1578a8a0d6352470191b55baf09ae0f7f541e6a48782459092e20b4f0dc042887571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3684189.exe
Filesize
799KB

MD5
19cbcf0fe6b7c2c66c29590e50252264

SHA1
24f70da1c28d263b82c6ae9d9cd15ec16d98cac0

SHA256
2a05507e7ce77e35e890652c038052f4441b2458462fad69130aa7c3ff2cbd86

SHA512
b16417927bcd27e15f23fd6142f4b9fbeab01c058a5d9af5a3073780e732895867f72d8bc8b3308768b9ffc7b49cbff283b8021991459c76dc03053a23a85fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3684189.exe
Filesize
799KB

MD5
19cbcf0fe6b7c2c66c29590e50252264

SHA1
24f70da1c28d263b82c6ae9d9cd15ec16d98cac0

SHA256
2a05507e7ce77e35e890652c038052f4441b2458462fad69130aa7c3ff2cbd86

SHA512
b16417927bcd27e15f23fd6142f4b9fbeab01c058a5d9af5a3073780e732895867f72d8bc8b3308768b9ffc7b49cbff283b8021991459c76dc03053a23a85fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9197332.exe
Filesize
616KB

MD5
0e14758afe80f464110cfdfb35e562a5

SHA1
62b6ab42520da5df6089be0c8db40a1e6be0f660

SHA256
eb1dae57c66628f2f66a93e9844c6de23338673ba6ed4c50afaaf1a4494f3dee

SHA512
276bc2f285f6528edc899b95fa0b51b0236d5f07477fad3259f21f1156ee5474cfc3e67bd98b240798959e6041b90271e3cba966a9cac313096f386d83015e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9197332.exe
Filesize
616KB

MD5
0e14758afe80f464110cfdfb35e562a5

SHA1
62b6ab42520da5df6089be0c8db40a1e6be0f660

SHA256
eb1dae57c66628f2f66a93e9844c6de23338673ba6ed4c50afaaf1a4494f3dee

SHA512
276bc2f285f6528edc899b95fa0b51b0236d5f07477fad3259f21f1156ee5474cfc3e67bd98b240798959e6041b90271e3cba966a9cac313096f386d83015e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4709113.exe
Filesize
346KB

MD5
240aab36bde38fb10f2fcb32c747a6a2

SHA1
6370fc8d56e2b290bdb71229c955884a4aa12f0e

SHA256
76e044c3d045ffec67ddc75c560b162bb63675df4b1af0c3de768438e111ca7a

SHA512
19b10d61649b85314eb0a6d927fa15d49ffe3c3817046cc04ca0f10426526c137c7ef5649442c5990566597608a043cdd9a95260ca3993c65071441004947636

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4709113.exe
Filesize
346KB

MD5
240aab36bde38fb10f2fcb32c747a6a2

SHA1
6370fc8d56e2b290bdb71229c955884a4aa12f0e

SHA256
76e044c3d045ffec67ddc75c560b162bb63675df4b1af0c3de768438e111ca7a

SHA512
19b10d61649b85314eb0a6d927fa15d49ffe3c3817046cc04ca0f10426526c137c7ef5649442c5990566597608a043cdd9a95260ca3993c65071441004947636

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6274385.exe
Filesize
982KB

MD5
4e405adb7bd96b12436cec1e0faaa63a

SHA1
9f5c6cfbb1bef9d2ae488532977b553e38f6df9f

SHA256
75306cbf4743cddfb7955fe51dd38c603df4b1fe11c4f021826d78ceee91afcb

SHA512
33ed7f310d5aa6fbf8ddb82c95db9f54920a380e9876231c763f7c07a19d1578a8a0d6352470191b55baf09ae0f7f541e6a48782459092e20b4f0dc042887571

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6274385.exe
Filesize
982KB

MD5
4e405adb7bd96b12436cec1e0faaa63a

SHA1
9f5c6cfbb1bef9d2ae488532977b553e38f6df9f

SHA256
75306cbf4743cddfb7955fe51dd38c603df4b1fe11c4f021826d78ceee91afcb

SHA512
33ed7f310d5aa6fbf8ddb82c95db9f54920a380e9876231c763f7c07a19d1578a8a0d6352470191b55baf09ae0f7f541e6a48782459092e20b4f0dc042887571

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3684189.exe
Filesize
799KB

MD5
19cbcf0fe6b7c2c66c29590e50252264

SHA1
24f70da1c28d263b82c6ae9d9cd15ec16d98cac0

SHA256
2a05507e7ce77e35e890652c038052f4441b2458462fad69130aa7c3ff2cbd86

SHA512
b16417927bcd27e15f23fd6142f4b9fbeab01c058a5d9af5a3073780e732895867f72d8bc8b3308768b9ffc7b49cbff283b8021991459c76dc03053a23a85fa0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3684189.exe
Filesize
799KB

MD5
19cbcf0fe6b7c2c66c29590e50252264

SHA1
24f70da1c28d263b82c6ae9d9cd15ec16d98cac0

SHA256
2a05507e7ce77e35e890652c038052f4441b2458462fad69130aa7c3ff2cbd86

SHA512
b16417927bcd27e15f23fd6142f4b9fbeab01c058a5d9af5a3073780e732895867f72d8bc8b3308768b9ffc7b49cbff283b8021991459c76dc03053a23a85fa0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9197332.exe
Filesize
616KB

MD5
0e14758afe80f464110cfdfb35e562a5

SHA1
62b6ab42520da5df6089be0c8db40a1e6be0f660

SHA256
eb1dae57c66628f2f66a93e9844c6de23338673ba6ed4c50afaaf1a4494f3dee

SHA512
276bc2f285f6528edc899b95fa0b51b0236d5f07477fad3259f21f1156ee5474cfc3e67bd98b240798959e6041b90271e3cba966a9cac313096f386d83015e1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9197332.exe
Filesize
616KB

MD5
0e14758afe80f464110cfdfb35e562a5

SHA1
62b6ab42520da5df6089be0c8db40a1e6be0f660

SHA256
eb1dae57c66628f2f66a93e9844c6de23338673ba6ed4c50afaaf1a4494f3dee

SHA512
276bc2f285f6528edc899b95fa0b51b0236d5f07477fad3259f21f1156ee5474cfc3e67bd98b240798959e6041b90271e3cba966a9cac313096f386d83015e1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4709113.exe
Filesize
346KB

MD5
240aab36bde38fb10f2fcb32c747a6a2

SHA1
6370fc8d56e2b290bdb71229c955884a4aa12f0e

SHA256
76e044c3d045ffec67ddc75c560b162bb63675df4b1af0c3de768438e111ca7a

SHA512
19b10d61649b85314eb0a6d927fa15d49ffe3c3817046cc04ca0f10426526c137c7ef5649442c5990566597608a043cdd9a95260ca3993c65071441004947636

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4709113.exe
Filesize
346KB

MD5
240aab36bde38fb10f2fcb32c747a6a2

SHA1
6370fc8d56e2b290bdb71229c955884a4aa12f0e

SHA256
76e044c3d045ffec67ddc75c560b162bb63675df4b1af0c3de768438e111ca7a

SHA512
19b10d61649b85314eb0a6d927fa15d49ffe3c3817046cc04ca0f10426526c137c7ef5649442c5990566597608a043cdd9a95260ca3993c65071441004947636

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2508315.exe
Filesize
227KB

MD5
76daaffacc7e85bdc1f9f9a940d03ea1

SHA1
e94553595c72354b9d82ae32f0c3cb4a8726d95a

SHA256
0815c37fd2c1eb2c9a28e2cf4034bce0e73cd3af52c8c640ea65421333932fb9

SHA512
e717f32a3b0a27e8be83abb59ecbd21475090a40560d95827cde84089e7717c26db1cab9ce5fe198a23587e982f99b1a9b873560237a8def512e18c0c879d232

Download Submit
memory/2604-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads