healer | a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe
Size

1.1MB
MD5

1ff470ae4b3f8ee1d4b2d7f65932a039
SHA1

c4b0207ad5f5f7eaa48fe613f2b246d4cb405cb0
SHA256

a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74
SHA512

cb167a7cebb137e21ff67f6d902971630ad11a1e2ec983285284f9b86fa291d5661c43378f31902e8c5d4802c95f59cf6836f261f875c3a32768fbee7f526c5a
SSDEEP

24576:zydja0Du8udg9EXNFsrHKrXN4A044gP+eu:GVAg9EdaGr9EngP+e

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2604-59-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-57-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-64-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-66-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z4061281.exez4932031.exez7996688.exez4353747.exeq0544509.exe

pid process

2412 z4061281.exe
2996 z4932031.exe
2076 z7996688.exe
2108 z4353747.exe
2788 q0544509.exe

pid	process
2412	z4061281.exe
2996	z4932031.exe
2076	z7996688.exe
2108	z4353747.exe
2788	q0544509.exe

Loads dropped DLL 15 IoCs

Processes:

a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exez4061281.exez4932031.exez7996688.exez4353747.exeq0544509.exeWerFault.exe

pid	process
1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe
2412	z4061281.exe
2412	z4061281.exe
2996	z4932031.exe
2996	z4932031.exe
2076	z7996688.exe
2076	z7996688.exe
2108	z4353747.exe
2108	z4353747.exe
2108	z4353747.exe
2788	q0544509.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exez4061281.exez4932031.exez7996688.exez4353747.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4061281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4932031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7996688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4353747.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q0544509.exe

description pid process target process

PID 2788 set thread context of 2604 2788 q0544509.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1016 2788 WerFault.exe q0544509.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2604 AppLaunch.exe
2604 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2604 AppLaunch.exe

description	pid	process	target process
PID 2788 set thread context of 2604	2788	q0544509.exe	AppLaunch.exe

pid	pid_target	process	target process
1016	2788	WerFault.exe	q0544509.exe

pid	process
2604	AppLaunch.exe
2604	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2604	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exez4061281.exez4932031.exez7996688.exez4353747.exeq0544509.exe

description	pid	process	target process
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 1668 wrote to memory of 2412	1668	a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe	z4061281.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2412 wrote to memory of 2996	2412	z4061281.exe	z4932031.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2996 wrote to memory of 2076	2996	z4932031.exe	z7996688.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2076 wrote to memory of 2108	2076	z7996688.exe	z4353747.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2108 wrote to memory of 2788	2108	z4353747.exe	q0544509.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2784	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2100	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2340	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe
PID 2788 wrote to memory of 2604	2788	q0544509.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe
"C:\Users\Admin\AppData\Local\Temp\a1d6be93ea1f7051e19504af5388665ecf5862be51cdb1df4895ab196defbf74.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4061281.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4061281.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4932031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4932031.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7996688.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7996688.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4353747.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4353747.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 300
7⤵
- Loads dropped DLL
- Program crash
PID:1016

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4061281.exe
Filesize
982KB

MD5
69b0f73977ce3442a83d162278133b1b

SHA1
6438f9515be1cc7b9721c7bd072710ce62314c0d

SHA256
d932de6099ee34b2ba24b1957c52b18d2c3cd85069307d8803a52066f60f77ee

SHA512
b39518f93fd0781ef8caa187a0afdf13a4f926ebea53cc9ecc90887539139b54134560d54106d361aa7c50c38ac43b5ebbd9e3e417fb141d45dd2f9115cc4c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4061281.exe
Filesize
982KB

MD5
69b0f73977ce3442a83d162278133b1b

SHA1
6438f9515be1cc7b9721c7bd072710ce62314c0d

SHA256
d932de6099ee34b2ba24b1957c52b18d2c3cd85069307d8803a52066f60f77ee

SHA512
b39518f93fd0781ef8caa187a0afdf13a4f926ebea53cc9ecc90887539139b54134560d54106d361aa7c50c38ac43b5ebbd9e3e417fb141d45dd2f9115cc4c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4932031.exe
Filesize
798KB

MD5
c14c6ce0a5c4c051b1ca704482e683e3

SHA1
04f558aa5193f96787b098e25d8ef055ad6dcaf2

SHA256
c018300d18069cc12be145694d3e4b6ac22f7dba4da433500642a43179b2a54f

SHA512
6c32dbceb146684cacf180f68b6ba9918fbf08c08989d8263f2f114e99a7f8c2a228e9a872b8d82516a9dd6251c5fa56fb3815f035bfc4bd0782d3c4a1e84116

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4932031.exe
Filesize
798KB

MD5
c14c6ce0a5c4c051b1ca704482e683e3

SHA1
04f558aa5193f96787b098e25d8ef055ad6dcaf2

SHA256
c018300d18069cc12be145694d3e4b6ac22f7dba4da433500642a43179b2a54f

SHA512
6c32dbceb146684cacf180f68b6ba9918fbf08c08989d8263f2f114e99a7f8c2a228e9a872b8d82516a9dd6251c5fa56fb3815f035bfc4bd0782d3c4a1e84116

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7996688.exe
Filesize
617KB

MD5
48e77e52f4aad2d83282c119d19eeeb2

SHA1
877b720ec0775e3c425afe883bc942f41a53f376

SHA256
6fa341344e790b303d3e3720104fe759d28f5abd307b3791d698ff0e0d09a4dc

SHA512
b552e1e3dc1f860a11b376d66d3ea643c70a7ed03d8880f1d88706d782e4feb0a0979c63e86ba822fd146fedf738d32505be14a173ea3687b2c3c956fb6006c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7996688.exe
Filesize
617KB

MD5
48e77e52f4aad2d83282c119d19eeeb2

SHA1
877b720ec0775e3c425afe883bc942f41a53f376

SHA256
6fa341344e790b303d3e3720104fe759d28f5abd307b3791d698ff0e0d09a4dc

SHA512
b552e1e3dc1f860a11b376d66d3ea643c70a7ed03d8880f1d88706d782e4feb0a0979c63e86ba822fd146fedf738d32505be14a173ea3687b2c3c956fb6006c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4353747.exe
Filesize
346KB

MD5
876183941777b9921ffeb907d76e4c9e

SHA1
3d719b6a0295122de14c0864153daf26b9705179

SHA256
d79d9667ac3f2e2ce29cc34379f0d80f8ec0828c1805d4e182709cd2db07b126

SHA512
2a9e9ff0a9e5398495fb9838c31ac0f41605dc9e9bc8461902ee4ffd6bf001b874bc63613ff1c975f53c166de611c86991e4cc68dd125914c3722fac39be423a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4353747.exe
Filesize
346KB

MD5
876183941777b9921ffeb907d76e4c9e

SHA1
3d719b6a0295122de14c0864153daf26b9705179

SHA256
d79d9667ac3f2e2ce29cc34379f0d80f8ec0828c1805d4e182709cd2db07b126

SHA512
2a9e9ff0a9e5398495fb9838c31ac0f41605dc9e9bc8461902ee4ffd6bf001b874bc63613ff1c975f53c166de611c86991e4cc68dd125914c3722fac39be423a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4061281.exe
Filesize
982KB

MD5
69b0f73977ce3442a83d162278133b1b

SHA1
6438f9515be1cc7b9721c7bd072710ce62314c0d

SHA256
d932de6099ee34b2ba24b1957c52b18d2c3cd85069307d8803a52066f60f77ee

SHA512
b39518f93fd0781ef8caa187a0afdf13a4f926ebea53cc9ecc90887539139b54134560d54106d361aa7c50c38ac43b5ebbd9e3e417fb141d45dd2f9115cc4c7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4061281.exe
Filesize
982KB

MD5
69b0f73977ce3442a83d162278133b1b

SHA1
6438f9515be1cc7b9721c7bd072710ce62314c0d

SHA256
d932de6099ee34b2ba24b1957c52b18d2c3cd85069307d8803a52066f60f77ee

SHA512
b39518f93fd0781ef8caa187a0afdf13a4f926ebea53cc9ecc90887539139b54134560d54106d361aa7c50c38ac43b5ebbd9e3e417fb141d45dd2f9115cc4c7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4932031.exe
Filesize
798KB

MD5
c14c6ce0a5c4c051b1ca704482e683e3

SHA1
04f558aa5193f96787b098e25d8ef055ad6dcaf2

SHA256
c018300d18069cc12be145694d3e4b6ac22f7dba4da433500642a43179b2a54f

SHA512
6c32dbceb146684cacf180f68b6ba9918fbf08c08989d8263f2f114e99a7f8c2a228e9a872b8d82516a9dd6251c5fa56fb3815f035bfc4bd0782d3c4a1e84116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4932031.exe
Filesize
798KB

MD5
c14c6ce0a5c4c051b1ca704482e683e3

SHA1
04f558aa5193f96787b098e25d8ef055ad6dcaf2

SHA256
c018300d18069cc12be145694d3e4b6ac22f7dba4da433500642a43179b2a54f

SHA512
6c32dbceb146684cacf180f68b6ba9918fbf08c08989d8263f2f114e99a7f8c2a228e9a872b8d82516a9dd6251c5fa56fb3815f035bfc4bd0782d3c4a1e84116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7996688.exe
Filesize
617KB

MD5
48e77e52f4aad2d83282c119d19eeeb2

SHA1
877b720ec0775e3c425afe883bc942f41a53f376

SHA256
6fa341344e790b303d3e3720104fe759d28f5abd307b3791d698ff0e0d09a4dc

SHA512
b552e1e3dc1f860a11b376d66d3ea643c70a7ed03d8880f1d88706d782e4feb0a0979c63e86ba822fd146fedf738d32505be14a173ea3687b2c3c956fb6006c1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7996688.exe
Filesize
617KB

MD5
48e77e52f4aad2d83282c119d19eeeb2

SHA1
877b720ec0775e3c425afe883bc942f41a53f376

SHA256
6fa341344e790b303d3e3720104fe759d28f5abd307b3791d698ff0e0d09a4dc

SHA512
b552e1e3dc1f860a11b376d66d3ea643c70a7ed03d8880f1d88706d782e4feb0a0979c63e86ba822fd146fedf738d32505be14a173ea3687b2c3c956fb6006c1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4353747.exe
Filesize
346KB

MD5
876183941777b9921ffeb907d76e4c9e

SHA1
3d719b6a0295122de14c0864153daf26b9705179

SHA256
d79d9667ac3f2e2ce29cc34379f0d80f8ec0828c1805d4e182709cd2db07b126

SHA512
2a9e9ff0a9e5398495fb9838c31ac0f41605dc9e9bc8461902ee4ffd6bf001b874bc63613ff1c975f53c166de611c86991e4cc68dd125914c3722fac39be423a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4353747.exe
Filesize
346KB

MD5
876183941777b9921ffeb907d76e4c9e

SHA1
3d719b6a0295122de14c0864153daf26b9705179

SHA256
d79d9667ac3f2e2ce29cc34379f0d80f8ec0828c1805d4e182709cd2db07b126

SHA512
2a9e9ff0a9e5398495fb9838c31ac0f41605dc9e9bc8461902ee4ffd6bf001b874bc63613ff1c975f53c166de611c86991e4cc68dd125914c3722fac39be423a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0544509.exe
Filesize
227KB

MD5
b543b0f8e93840a921dbf1056cf814dd

SHA1
47a4c9b9cdc2b1076496e19d76b9521f2fa338a8

SHA256
acced14b2229431b82e44868777e017aab09c925ad7fef84b23f2b7043df53fa

SHA512
a1fb64f116591250c54f443cb7db9858dc9aba2654adc73fa3fefb8a5df2f5075985eddcce27a49da51afff44b23f865931142baa8237c3cc1a01d3ea3272e73

Download Submit
memory/2604-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-66-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-59-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads