healer | fcf8b3334a4c5863aa1006ca4674c344f1f39c2ca19a010722671494c14e985b

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f65ab4da30e9b04d84b7915db39f4a1.exe
Size

891KB
MD5

1f65ab4da30e9b04d84b7915db39f4a1
SHA1

f96ec434ae23935d5162ac498cc33345c1da0694
SHA256

fcf8b3334a4c5863aa1006ca4674c344f1f39c2ca19a010722671494c14e985b
SHA512

a381f4389b98da13e9fc4fe68cf80d059b4e014bbadb1329738717051d9c0fc1b4dc4915354b8cbb5728363e553a891b62522b8e66083ad3bc656d552eaa3af9
SSDEEP

24576:iyxdq0OlRqWXozrUOk61DBg82gwNVuPcV:JxdElRGPUJ6fg82g/c

Score

10^/10

healer mystic dropper evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2508-54-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2508-55-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2508-56-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2508-58-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe	healer
behavioral1/memory/2796-38-0x0000000000B70000-0x0000000000B7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q3031715.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q3031715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3031715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3031715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3031715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3031715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3031715.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Executes dropped EXE 5 IoCs

Processes:

z5854622.exez9282105.exez6233666.exeq3031715.exer1648068.exe

pid process

1700 z5854622.exe
2600 z9282105.exe
2656 z6233666.exe
2796 q3031715.exe
2536 r1648068.exe

pid	process
1700	z5854622.exe
2600	z9282105.exe
2656	z6233666.exe
2796	q3031715.exe
2536	r1648068.exe

Loads dropped DLL 14 IoCs

Processes:

1f65ab4da30e9b04d84b7915db39f4a1.exez5854622.exez9282105.exez6233666.exer1648068.exeWerFault.exe

pid	process
1780	1f65ab4da30e9b04d84b7915db39f4a1.exe
1700	z5854622.exe
1700	z5854622.exe
2600	z9282105.exe
2600	z9282105.exe
2656	z6233666.exe
2656	z6233666.exe
2656	z6233666.exe
2656	z6233666.exe
2536	r1648068.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

q3031715.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	q3031715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3031715.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f65ab4da30e9b04d84b7915db39f4a1.exez5854622.exez9282105.exez6233666.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f65ab4da30e9b04d84b7915db39f4a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5854622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9282105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6233666.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

r1648068.exe

description pid process target process

PID 2536 set thread context of 2508 2536 r1648068.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2628 2536 WerFault.exe r1648068.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q3031715.exe

pid process

2796 q3031715.exe
2796 q3031715.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q3031715.exe

description pid process

Token: SeDebugPrivilege 2796 q3031715.exe

description	pid	process	target process
PID 2536 set thread context of 2508	2536	r1648068.exe	AppLaunch.exe

pid	pid_target	process	target process
2628	2536	WerFault.exe	r1648068.exe

pid	process
2796	q3031715.exe
2796	q3031715.exe

description	pid	process
Token: SeDebugPrivilege	2796	q3031715.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

1f65ab4da30e9b04d84b7915db39f4a1.exez5854622.exez9282105.exez6233666.exer1648068.exe

description	pid	process	target process
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1780 wrote to memory of 1700	1780	1f65ab4da30e9b04d84b7915db39f4a1.exe	z5854622.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 1700 wrote to memory of 2600	1700	z5854622.exe	z9282105.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2600 wrote to memory of 2656	2600	z9282105.exe	z6233666.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2796	2656	z6233666.exe	q3031715.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2656 wrote to memory of 2536	2656	z6233666.exe	r1648068.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2508	2536	r1648068.exe	AppLaunch.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe
PID 2536 wrote to memory of 2628	2536	r1648068.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1f65ab4da30e9b04d84b7915db39f4a1.exe
"C:\Users\Admin\AppData\Local\Temp\1f65ab4da30e9b04d84b7915db39f4a1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5854622.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5854622.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9282105.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9282105.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6233666.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6233666.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:2628

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5854622.exe
Filesize
709KB

MD5
f71f837667812889e57db8b786a0aff0

SHA1
d8e6d16463e2bec441ed50cda36966f7022672dc

SHA256
ad6b5ffcb6755d42ddd1e043bfd03819ad3302cffcc3952745fe23d39401510e

SHA512
3088f89372f7053310a9c0c9ca7f7857d12685a3b3d97bf62c705e32b1cdee036c81bec8e46c773506930b45d82cc8645d3855e7fc1f5f210b8ac996196b8f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5854622.exe
Filesize
709KB

MD5
f71f837667812889e57db8b786a0aff0

SHA1
d8e6d16463e2bec441ed50cda36966f7022672dc

SHA256
ad6b5ffcb6755d42ddd1e043bfd03819ad3302cffcc3952745fe23d39401510e

SHA512
3088f89372f7053310a9c0c9ca7f7857d12685a3b3d97bf62c705e32b1cdee036c81bec8e46c773506930b45d82cc8645d3855e7fc1f5f210b8ac996196b8f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9282105.exe
Filesize
527KB

MD5
78f56ae5dee9a413331cd6702404e8ce

SHA1
2f565fa995f2e53f6c700c8ac8e830fa35439d83

SHA256
fa71d82a3b1712e0cfeac0f07682a21ac77dcc8f137cbf7533cebf4515dbe7ef

SHA512
745250e52bf9a1415178255b758946a2677b39d5f64268cd8318be9961c969cd0212f41bbac19cb0d4854e7381824ad013438592ff626df86df5c51e7c9ecb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9282105.exe
Filesize
527KB

MD5
78f56ae5dee9a413331cd6702404e8ce

SHA1
2f565fa995f2e53f6c700c8ac8e830fa35439d83

SHA256
fa71d82a3b1712e0cfeac0f07682a21ac77dcc8f137cbf7533cebf4515dbe7ef

SHA512
745250e52bf9a1415178255b758946a2677b39d5f64268cd8318be9961c969cd0212f41bbac19cb0d4854e7381824ad013438592ff626df86df5c51e7c9ecb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6233666.exe
Filesize
296KB

MD5
5aef654b484faa27b1663dd681a48aa3

SHA1
927481059577b28bfa7990ef927650c22872e903

SHA256
16e4f640c04b005f712bb451d0f9156061aef98854ab0b22e00407c425dda9cb

SHA512
b91850153ccec3239fd870f9bb42604ab20af8b5314c00999be2dce491f5c8e95e0b7d97040feb8fbc41fc38cc6eee6f6b01cf70dd55b90107b833b786e784f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6233666.exe
Filesize
296KB

MD5
5aef654b484faa27b1663dd681a48aa3

SHA1
927481059577b28bfa7990ef927650c22872e903

SHA256
16e4f640c04b005f712bb451d0f9156061aef98854ab0b22e00407c425dda9cb

SHA512
b91850153ccec3239fd870f9bb42604ab20af8b5314c00999be2dce491f5c8e95e0b7d97040feb8fbc41fc38cc6eee6f6b01cf70dd55b90107b833b786e784f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe
Filesize
11KB

MD5
ba5afc363bb86d0b1288238fe497d0c8

SHA1
edf08b6fd20be6ab8eb76fdd81b1992033d30d25

SHA256
25652893318851800c1473c6f4be6e27808926c5e1736a176e93903e5bf9cdfe

SHA512
35b4f8885b2fcdff38439ca28ce3bc4ee9eec64f20e4c036e61ca4ab330e8b9965b98247c22ffc25de094ece2fe34f4ec06a5cd7597c4f6d778aa56bd01ab26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe
Filesize
11KB

MD5
ba5afc363bb86d0b1288238fe497d0c8

SHA1
edf08b6fd20be6ab8eb76fdd81b1992033d30d25

SHA256
25652893318851800c1473c6f4be6e27808926c5e1736a176e93903e5bf9cdfe

SHA512
35b4f8885b2fcdff38439ca28ce3bc4ee9eec64f20e4c036e61ca4ab330e8b9965b98247c22ffc25de094ece2fe34f4ec06a5cd7597c4f6d778aa56bd01ab26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5854622.exe
Filesize
709KB

MD5
f71f837667812889e57db8b786a0aff0

SHA1
d8e6d16463e2bec441ed50cda36966f7022672dc

SHA256
ad6b5ffcb6755d42ddd1e043bfd03819ad3302cffcc3952745fe23d39401510e

SHA512
3088f89372f7053310a9c0c9ca7f7857d12685a3b3d97bf62c705e32b1cdee036c81bec8e46c773506930b45d82cc8645d3855e7fc1f5f210b8ac996196b8f53

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5854622.exe
Filesize
709KB

MD5
f71f837667812889e57db8b786a0aff0

SHA1
d8e6d16463e2bec441ed50cda36966f7022672dc

SHA256
ad6b5ffcb6755d42ddd1e043bfd03819ad3302cffcc3952745fe23d39401510e

SHA512
3088f89372f7053310a9c0c9ca7f7857d12685a3b3d97bf62c705e32b1cdee036c81bec8e46c773506930b45d82cc8645d3855e7fc1f5f210b8ac996196b8f53

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9282105.exe
Filesize
527KB

MD5
78f56ae5dee9a413331cd6702404e8ce

SHA1
2f565fa995f2e53f6c700c8ac8e830fa35439d83

SHA256
fa71d82a3b1712e0cfeac0f07682a21ac77dcc8f137cbf7533cebf4515dbe7ef

SHA512
745250e52bf9a1415178255b758946a2677b39d5f64268cd8318be9961c969cd0212f41bbac19cb0d4854e7381824ad013438592ff626df86df5c51e7c9ecb79

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9282105.exe
Filesize
527KB

MD5
78f56ae5dee9a413331cd6702404e8ce

SHA1
2f565fa995f2e53f6c700c8ac8e830fa35439d83

SHA256
fa71d82a3b1712e0cfeac0f07682a21ac77dcc8f137cbf7533cebf4515dbe7ef

SHA512
745250e52bf9a1415178255b758946a2677b39d5f64268cd8318be9961c969cd0212f41bbac19cb0d4854e7381824ad013438592ff626df86df5c51e7c9ecb79

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6233666.exe
Filesize
296KB

MD5
5aef654b484faa27b1663dd681a48aa3

SHA1
927481059577b28bfa7990ef927650c22872e903

SHA256
16e4f640c04b005f712bb451d0f9156061aef98854ab0b22e00407c425dda9cb

SHA512
b91850153ccec3239fd870f9bb42604ab20af8b5314c00999be2dce491f5c8e95e0b7d97040feb8fbc41fc38cc6eee6f6b01cf70dd55b90107b833b786e784f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6233666.exe
Filesize
296KB

MD5
5aef654b484faa27b1663dd681a48aa3

SHA1
927481059577b28bfa7990ef927650c22872e903

SHA256
16e4f640c04b005f712bb451d0f9156061aef98854ab0b22e00407c425dda9cb

SHA512
b91850153ccec3239fd870f9bb42604ab20af8b5314c00999be2dce491f5c8e95e0b7d97040feb8fbc41fc38cc6eee6f6b01cf70dd55b90107b833b786e784f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3031715.exe
Filesize
11KB

MD5
ba5afc363bb86d0b1288238fe497d0c8

SHA1
edf08b6fd20be6ab8eb76fdd81b1992033d30d25

SHA256
25652893318851800c1473c6f4be6e27808926c5e1736a176e93903e5bf9cdfe

SHA512
35b4f8885b2fcdff38439ca28ce3bc4ee9eec64f20e4c036e61ca4ab330e8b9965b98247c22ffc25de094ece2fe34f4ec06a5cd7597c4f6d778aa56bd01ab26a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1648068.exe
Filesize
276KB

MD5
75bb5293eb4a112efd242fdc1ee652a6

SHA1
f6bc7886d3288b8dd16a9ccf9df122f0edb637e0

SHA256
f4ba030ddff0482c1a86ac362b9528457653b848a24c17c8d477131979ab9466

SHA512
59d9bd0084f88b800b2f738b85eee6b328ff33a5c6cfbd4008801c9520278429718e7ef3fee1502ce6534d7ded00b279750421a32e1340fcd9ac73b52df3e7cb

Download Submit
memory/2508-53-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-52-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-51-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2796-41-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-40-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-39-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-38-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads