healer | d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe
Size

1.1MB
MD5

3fd18610b9c31eb6fc450bf626d7ea7d
SHA1

1b0513f783036323dfc340d03b2a27474eaa6ce9
SHA256

d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd
SHA512

e7d1dbf5fe24d14105555b3147e7e617f8de3f3913948e88dc43c17826eebeaff6f26e7920ccb82cf6cfc960d1a06031b1b5ac26cc029e11743bf6580cb63fc2
SSDEEP

24576:6yxRJaqQK1f3tXmFIQT2kff9kCnwIFpYu5cw5oMpq:BZaqFENrfvwOOulp

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2888-59-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2888-57-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2888-64-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2888-66-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z4215849.exez4780114.exez9539404.exez2924053.exeq8620071.exe

pid process

1696 z4215849.exe
2292 z4780114.exe
2664 z9539404.exe
2672 z2924053.exe
1960 q8620071.exe

pid	process
1696	z4215849.exe
2292	z4780114.exe
2664	z9539404.exe
2672	z2924053.exe
1960	q8620071.exe

Loads dropped DLL 15 IoCs

Processes:

d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exez4215849.exez4780114.exez9539404.exez2924053.exeq8620071.exeWerFault.exe

pid	process
2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe
1696	z4215849.exe
1696	z4215849.exe
2292	z4780114.exe
2292	z4780114.exe
2664	z9539404.exe
2664	z9539404.exe
2672	z2924053.exe
2672	z2924053.exe
2672	z2924053.exe
1960	q8620071.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exez4215849.exez4780114.exez9539404.exez2924053.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4215849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4780114.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9539404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2924053.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q8620071.exe

description pid process target process

PID 1960 set thread context of 2888 1960 q8620071.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2512 1960 WerFault.exe q8620071.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2888 AppLaunch.exe
2888 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2888 AppLaunch.exe

description	pid	process	target process
PID 1960 set thread context of 2888	1960	q8620071.exe	AppLaunch.exe

pid	pid_target	process	target process
2512	1960	WerFault.exe	q8620071.exe

pid	process
2888	AppLaunch.exe
2888	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2888	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exez4215849.exez4780114.exez9539404.exez2924053.exeq8620071.exe

description	pid	process	target process
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 2968 wrote to memory of 1696	2968	d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe	z4215849.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 1696 wrote to memory of 2292	1696	z4215849.exe	z4780114.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2292 wrote to memory of 2664	2292	z4780114.exe	z9539404.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2664 wrote to memory of 2672	2664	z9539404.exe	z2924053.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 2672 wrote to memory of 1960	2672	z2924053.exe	q8620071.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2888	1960	q8620071.exe	AppLaunch.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe
PID 1960 wrote to memory of 2512	1960	q8620071.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d9fefaf017bcb31b2d6fdbd90c1c9ff4b02a2e63e391295171b9a34af42adfdd_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4215849.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4215849.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4780114.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4780114.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9539404.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9539404.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2924053.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2924053.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 272
7⤵
- Loads dropped DLL
- Program crash
PID:2512

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4215849.exe
Filesize
997KB

MD5
b03e47b75eb28e1899cd39fc4c56c96f

SHA1
46b0f39c2995b7a19a1c18df4f9236f55f40b50d

SHA256
261eb1abd2c3f94c1ca0e9dd3f8c2ed02671b4d69bc0913d1fb558690c396081

SHA512
961f0eda2ddf44f5379cff62292bf7a6cb2cfa1bd4fe5bb64c90cfd079d9157d7dd3b5fab32da8ee2e69a3aae56d7adbae3bdf35ec2177802be7f6f521a3947e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4215849.exe
Filesize
997KB

MD5
b03e47b75eb28e1899cd39fc4c56c96f

SHA1
46b0f39c2995b7a19a1c18df4f9236f55f40b50d

SHA256
261eb1abd2c3f94c1ca0e9dd3f8c2ed02671b4d69bc0913d1fb558690c396081

SHA512
961f0eda2ddf44f5379cff62292bf7a6cb2cfa1bd4fe5bb64c90cfd079d9157d7dd3b5fab32da8ee2e69a3aae56d7adbae3bdf35ec2177802be7f6f521a3947e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4780114.exe
Filesize
814KB

MD5
c7e22224e90b9aefbe40173021b5bf78

SHA1
06f43f749a314a268f3182f5ba77003621f14949

SHA256
7d08d3fde33a5dd82864206e8f3275208e3850934690b673aa6c7d0c3ed9e4f8

SHA512
f471e0dbeeed3a713ae85406497442f4cbf3b4f5814a38fa51edfdc3ca78d90a1f1464f7f8cd4fdab7fd562b29f76875e83380378020e004a576ca78c36bdf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4780114.exe
Filesize
814KB

MD5
c7e22224e90b9aefbe40173021b5bf78

SHA1
06f43f749a314a268f3182f5ba77003621f14949

SHA256
7d08d3fde33a5dd82864206e8f3275208e3850934690b673aa6c7d0c3ed9e4f8

SHA512
f471e0dbeeed3a713ae85406497442f4cbf3b4f5814a38fa51edfdc3ca78d90a1f1464f7f8cd4fdab7fd562b29f76875e83380378020e004a576ca78c36bdf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9539404.exe
Filesize
631KB

MD5
8720ddee8599f350f8efeb71506d7adc

SHA1
c6f7ad32bd368edc95b2dcbbddf9448b1840ac87

SHA256
8d93a47c80e14623dd86ec1d776cc989967fab4900de7eba7fc8f010c338b128

SHA512
43847f8fff75be03976385b5efa36c8ff96563b06c12c71134323a56ae77bd811d4802610163cd885d535d96d0ae5a049d7b4b892574c8a887feeabdd5dbb69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9539404.exe
Filesize
631KB

MD5
8720ddee8599f350f8efeb71506d7adc

SHA1
c6f7ad32bd368edc95b2dcbbddf9448b1840ac87

SHA256
8d93a47c80e14623dd86ec1d776cc989967fab4900de7eba7fc8f010c338b128

SHA512
43847f8fff75be03976385b5efa36c8ff96563b06c12c71134323a56ae77bd811d4802610163cd885d535d96d0ae5a049d7b4b892574c8a887feeabdd5dbb69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2924053.exe
Filesize
354KB

MD5
5e56f2be8f48cd561c9bbd8bc436d7bc

SHA1
32ec7c517d7eeb41fb1b9bf13327c99c39e0a227

SHA256
83609e14c1c46aa013cb0245488d0ae94c59fabbff0026cd482e0f21c511c8c0

SHA512
5873ab9ad0901dad996dd66f5728971fa14a6bf3f530698a564373827ec8b6ac44671269b71fb7eff42a5a5eb8282dd3ba8446de54d6954d6c5aa78edcc13a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2924053.exe
Filesize
354KB

MD5
5e56f2be8f48cd561c9bbd8bc436d7bc

SHA1
32ec7c517d7eeb41fb1b9bf13327c99c39e0a227

SHA256
83609e14c1c46aa013cb0245488d0ae94c59fabbff0026cd482e0f21c511c8c0

SHA512
5873ab9ad0901dad996dd66f5728971fa14a6bf3f530698a564373827ec8b6ac44671269b71fb7eff42a5a5eb8282dd3ba8446de54d6954d6c5aa78edcc13a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4215849.exe
Filesize
997KB

MD5
b03e47b75eb28e1899cd39fc4c56c96f

SHA1
46b0f39c2995b7a19a1c18df4f9236f55f40b50d

SHA256
261eb1abd2c3f94c1ca0e9dd3f8c2ed02671b4d69bc0913d1fb558690c396081

SHA512
961f0eda2ddf44f5379cff62292bf7a6cb2cfa1bd4fe5bb64c90cfd079d9157d7dd3b5fab32da8ee2e69a3aae56d7adbae3bdf35ec2177802be7f6f521a3947e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4215849.exe
Filesize
997KB

MD5
b03e47b75eb28e1899cd39fc4c56c96f

SHA1
46b0f39c2995b7a19a1c18df4f9236f55f40b50d

SHA256
261eb1abd2c3f94c1ca0e9dd3f8c2ed02671b4d69bc0913d1fb558690c396081

SHA512
961f0eda2ddf44f5379cff62292bf7a6cb2cfa1bd4fe5bb64c90cfd079d9157d7dd3b5fab32da8ee2e69a3aae56d7adbae3bdf35ec2177802be7f6f521a3947e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4780114.exe
Filesize
814KB

MD5
c7e22224e90b9aefbe40173021b5bf78

SHA1
06f43f749a314a268f3182f5ba77003621f14949

SHA256
7d08d3fde33a5dd82864206e8f3275208e3850934690b673aa6c7d0c3ed9e4f8

SHA512
f471e0dbeeed3a713ae85406497442f4cbf3b4f5814a38fa51edfdc3ca78d90a1f1464f7f8cd4fdab7fd562b29f76875e83380378020e004a576ca78c36bdf5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4780114.exe
Filesize
814KB

MD5
c7e22224e90b9aefbe40173021b5bf78

SHA1
06f43f749a314a268f3182f5ba77003621f14949

SHA256
7d08d3fde33a5dd82864206e8f3275208e3850934690b673aa6c7d0c3ed9e4f8

SHA512
f471e0dbeeed3a713ae85406497442f4cbf3b4f5814a38fa51edfdc3ca78d90a1f1464f7f8cd4fdab7fd562b29f76875e83380378020e004a576ca78c36bdf5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9539404.exe
Filesize
631KB

MD5
8720ddee8599f350f8efeb71506d7adc

SHA1
c6f7ad32bd368edc95b2dcbbddf9448b1840ac87

SHA256
8d93a47c80e14623dd86ec1d776cc989967fab4900de7eba7fc8f010c338b128

SHA512
43847f8fff75be03976385b5efa36c8ff96563b06c12c71134323a56ae77bd811d4802610163cd885d535d96d0ae5a049d7b4b892574c8a887feeabdd5dbb69a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9539404.exe
Filesize
631KB

MD5
8720ddee8599f350f8efeb71506d7adc

SHA1
c6f7ad32bd368edc95b2dcbbddf9448b1840ac87

SHA256
8d93a47c80e14623dd86ec1d776cc989967fab4900de7eba7fc8f010c338b128

SHA512
43847f8fff75be03976385b5efa36c8ff96563b06c12c71134323a56ae77bd811d4802610163cd885d535d96d0ae5a049d7b4b892574c8a887feeabdd5dbb69a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2924053.exe
Filesize
354KB

MD5
5e56f2be8f48cd561c9bbd8bc436d7bc

SHA1
32ec7c517d7eeb41fb1b9bf13327c99c39e0a227

SHA256
83609e14c1c46aa013cb0245488d0ae94c59fabbff0026cd482e0f21c511c8c0

SHA512
5873ab9ad0901dad996dd66f5728971fa14a6bf3f530698a564373827ec8b6ac44671269b71fb7eff42a5a5eb8282dd3ba8446de54d6954d6c5aa78edcc13a0a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2924053.exe
Filesize
354KB

MD5
5e56f2be8f48cd561c9bbd8bc436d7bc

SHA1
32ec7c517d7eeb41fb1b9bf13327c99c39e0a227

SHA256
83609e14c1c46aa013cb0245488d0ae94c59fabbff0026cd482e0f21c511c8c0

SHA512
5873ab9ad0901dad996dd66f5728971fa14a6bf3f530698a564373827ec8b6ac44671269b71fb7eff42a5a5eb8282dd3ba8446de54d6954d6c5aa78edcc13a0a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8620071.exe
Filesize
250KB

MD5
f99508626180b53bf30b0ce7817bd697

SHA1
88704f91de6d7012eb1a4f1ead6a1f12384f906b

SHA256
ef1073c8a8b000de7f8cc8b228c2537b12869f3110f8f48ef4e6b45b347e9fcd

SHA512
ce0bccad878003c0198cd658018be45f54a7a0aa4b1d3ab22dfbaaa361b16ce3d85b8faea466b5f703031753d48976cb4488d96639258b952a671f874555f396

Download Submit
memory/2888-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-66-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-59-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2888-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads