healer | 9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b

Analysis

max time kernel
121s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe
Size

1.0MB
MD5

f0815627e2eda026531f2ca036d1c4dd
SHA1

255560c15e1710f3723c5e085bcdf73df11cbab0
SHA256

9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b
SHA512

cd05c3988ba62cb97ef7da90b6033096384a0bee4ac9b98aa10da685407429b7bff03649a4f0c27ae8a14343f49745956ba3d3e253cd78fb47e2a6b6c7b94735
SSDEEP

24576:0yRuvIOSXjHzeWdCfo3D7rN+CeHrcRr1C8b:DRuvPSXraWIfo3D7rAcRr1C8

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2928-57-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2928-59-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2928-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2928-64-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2928-66-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z3706419.exez9075517.exez4990816.exez4138851.exeq2119491.exe

pid process

2068 z3706419.exe
2364 z9075517.exe
2672 z4990816.exe
2676 z4138851.exe
2768 q2119491.exe

pid	process
2068	z3706419.exe
2364	z9075517.exe
2672	z4990816.exe
2676	z4138851.exe
2768	q2119491.exe

Loads dropped DLL 15 IoCs

Processes:

9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exez3706419.exez9075517.exez4990816.exez4138851.exeq2119491.exeWerFault.exe

pid	process
2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe
2068	z3706419.exe
2068	z3706419.exe
2364	z9075517.exe
2364	z9075517.exe
2672	z4990816.exe
2672	z4990816.exe
2676	z4138851.exe
2676	z4138851.exe
2676	z4138851.exe
2768	q2119491.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exez3706419.exez9075517.exez4990816.exez4138851.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3706419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9075517.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4990816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4138851.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q2119491.exe

description pid process target process

PID 2768 set thread context of 2928 2768 q2119491.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3028 2768 WerFault.exe q2119491.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2928 AppLaunch.exe
2928 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2928 AppLaunch.exe

description	pid	process	target process
PID 2768 set thread context of 2928	2768	q2119491.exe	AppLaunch.exe

pid	pid_target	process	target process
3028	2768	WerFault.exe	q2119491.exe

pid	process
2928	AppLaunch.exe
2928	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2928	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exez3706419.exez9075517.exez4990816.exez4138851.exeq2119491.exe

description	pid	process	target process
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2072 wrote to memory of 2068	2072	9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe	z3706419.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2068 wrote to memory of 2364	2068	z3706419.exe	z9075517.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2364 wrote to memory of 2672	2364	z9075517.exe	z4990816.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2672 wrote to memory of 2676	2672	z4990816.exe	z4138851.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2676 wrote to memory of 2768	2676	z4138851.exe	q2119491.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 2928	2768	q2119491.exe	AppLaunch.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe
PID 2768 wrote to memory of 3028	2768	q2119491.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9d08d921bd8a2a5bb7febe1b1954e043719e47b9cb5a04791bd58a4fc6accf7b_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3706419.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3706419.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9075517.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9075517.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4990816.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4990816.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4138851.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4138851.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 268
7⤵
- Loads dropped DLL
- Program crash
PID:3028

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3706419.exe
Filesize
964KB

MD5
b6feb380ef4569f7bd88cb38ea99fbbc

SHA1
3a2487fb1b809d1d07ea74fcce61d71b58272fc0

SHA256
37430c4db0db1b5d87d334da0620a0145a7073b9e16b13b309a5a437d6f3af71

SHA512
c6b8867b71b32f92bc783bb06ed5c76184032706122628cc0735b210c355c0ee9bfa31eb67ece469576c6cb279c5d31557d58e254edbb60a35597af32584c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3706419.exe
Filesize
964KB

MD5
b6feb380ef4569f7bd88cb38ea99fbbc

SHA1
3a2487fb1b809d1d07ea74fcce61d71b58272fc0

SHA256
37430c4db0db1b5d87d334da0620a0145a7073b9e16b13b309a5a437d6f3af71

SHA512
c6b8867b71b32f92bc783bb06ed5c76184032706122628cc0735b210c355c0ee9bfa31eb67ece469576c6cb279c5d31557d58e254edbb60a35597af32584c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9075517.exe
Filesize
782KB

MD5
16f9b5680bb04dcb6c26345dd46fddbb

SHA1
92534f4b8177d43248bdb59cc6e1f7af8f12d30f

SHA256
87230b7b77e9a768c5c7c231062c68875c2841317029744ddd161ab2c3a63a7f

SHA512
8045ae9a8f2c508e575d3d92131b79d4490e14353647b79cc17471edb7c1b526adfab727903c27647b4e0cd4ad0f657e1d80448b4f364b4f6958f79173a8afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9075517.exe
Filesize
782KB

MD5
16f9b5680bb04dcb6c26345dd46fddbb

SHA1
92534f4b8177d43248bdb59cc6e1f7af8f12d30f

SHA256
87230b7b77e9a768c5c7c231062c68875c2841317029744ddd161ab2c3a63a7f

SHA512
8045ae9a8f2c508e575d3d92131b79d4490e14353647b79cc17471edb7c1b526adfab727903c27647b4e0cd4ad0f657e1d80448b4f364b4f6958f79173a8afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4990816.exe
Filesize
599KB

MD5
6919e8470fe190a623acf58ace3d30e5

SHA1
1a89d3a96978a93b1794a140a51afc6cd7b99066

SHA256
6dfacc61f4fd808e28efc4bf94108fb6e89b526969fca6fc5b1364b07cb0f124

SHA512
971262a328d74acd8aefde57826a08a78dfca4a320625a83e3e1b9225ed66a99304ad734db7b8f5bf0585a6e991ec238eaf9ec38e14deb4e02f1afe7dedf8171

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4990816.exe
Filesize
599KB

MD5
6919e8470fe190a623acf58ace3d30e5

SHA1
1a89d3a96978a93b1794a140a51afc6cd7b99066

SHA256
6dfacc61f4fd808e28efc4bf94108fb6e89b526969fca6fc5b1364b07cb0f124

SHA512
971262a328d74acd8aefde57826a08a78dfca4a320625a83e3e1b9225ed66a99304ad734db7b8f5bf0585a6e991ec238eaf9ec38e14deb4e02f1afe7dedf8171

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4138851.exe
Filesize
337KB

MD5
ab69ee444e7482237a22d6108a9783f4

SHA1
2b625c6c67f8769b3d770ac2ecafa8f728ea72bf

SHA256
aacc9a31fa45c004e31c85ba6fac0baac9acf7deb39fd00db50883cf41c62d49

SHA512
c7cd7179c7be5167bdbe6a7fe3e73208a1895dfcd797bd636a4c16aeeae52bf2097355f9a2dde98c5d53cb34496d98ac1fea0f6523f8ebbaf8d3548576131cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4138851.exe
Filesize
337KB

MD5
ab69ee444e7482237a22d6108a9783f4

SHA1
2b625c6c67f8769b3d770ac2ecafa8f728ea72bf

SHA256
aacc9a31fa45c004e31c85ba6fac0baac9acf7deb39fd00db50883cf41c62d49

SHA512
c7cd7179c7be5167bdbe6a7fe3e73208a1895dfcd797bd636a4c16aeeae52bf2097355f9a2dde98c5d53cb34496d98ac1fea0f6523f8ebbaf8d3548576131cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3706419.exe
Filesize
964KB

MD5
b6feb380ef4569f7bd88cb38ea99fbbc

SHA1
3a2487fb1b809d1d07ea74fcce61d71b58272fc0

SHA256
37430c4db0db1b5d87d334da0620a0145a7073b9e16b13b309a5a437d6f3af71

SHA512
c6b8867b71b32f92bc783bb06ed5c76184032706122628cc0735b210c355c0ee9bfa31eb67ece469576c6cb279c5d31557d58e254edbb60a35597af32584c220

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3706419.exe
Filesize
964KB

MD5
b6feb380ef4569f7bd88cb38ea99fbbc

SHA1
3a2487fb1b809d1d07ea74fcce61d71b58272fc0

SHA256
37430c4db0db1b5d87d334da0620a0145a7073b9e16b13b309a5a437d6f3af71

SHA512
c6b8867b71b32f92bc783bb06ed5c76184032706122628cc0735b210c355c0ee9bfa31eb67ece469576c6cb279c5d31557d58e254edbb60a35597af32584c220

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9075517.exe
Filesize
782KB

MD5
16f9b5680bb04dcb6c26345dd46fddbb

SHA1
92534f4b8177d43248bdb59cc6e1f7af8f12d30f

SHA256
87230b7b77e9a768c5c7c231062c68875c2841317029744ddd161ab2c3a63a7f

SHA512
8045ae9a8f2c508e575d3d92131b79d4490e14353647b79cc17471edb7c1b526adfab727903c27647b4e0cd4ad0f657e1d80448b4f364b4f6958f79173a8afd8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9075517.exe
Filesize
782KB

MD5
16f9b5680bb04dcb6c26345dd46fddbb

SHA1
92534f4b8177d43248bdb59cc6e1f7af8f12d30f

SHA256
87230b7b77e9a768c5c7c231062c68875c2841317029744ddd161ab2c3a63a7f

SHA512
8045ae9a8f2c508e575d3d92131b79d4490e14353647b79cc17471edb7c1b526adfab727903c27647b4e0cd4ad0f657e1d80448b4f364b4f6958f79173a8afd8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4990816.exe
Filesize
599KB

MD5
6919e8470fe190a623acf58ace3d30e5

SHA1
1a89d3a96978a93b1794a140a51afc6cd7b99066

SHA256
6dfacc61f4fd808e28efc4bf94108fb6e89b526969fca6fc5b1364b07cb0f124

SHA512
971262a328d74acd8aefde57826a08a78dfca4a320625a83e3e1b9225ed66a99304ad734db7b8f5bf0585a6e991ec238eaf9ec38e14deb4e02f1afe7dedf8171

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4990816.exe
Filesize
599KB

MD5
6919e8470fe190a623acf58ace3d30e5

SHA1
1a89d3a96978a93b1794a140a51afc6cd7b99066

SHA256
6dfacc61f4fd808e28efc4bf94108fb6e89b526969fca6fc5b1364b07cb0f124

SHA512
971262a328d74acd8aefde57826a08a78dfca4a320625a83e3e1b9225ed66a99304ad734db7b8f5bf0585a6e991ec238eaf9ec38e14deb4e02f1afe7dedf8171

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4138851.exe
Filesize
337KB

MD5
ab69ee444e7482237a22d6108a9783f4

SHA1
2b625c6c67f8769b3d770ac2ecafa8f728ea72bf

SHA256
aacc9a31fa45c004e31c85ba6fac0baac9acf7deb39fd00db50883cf41c62d49

SHA512
c7cd7179c7be5167bdbe6a7fe3e73208a1895dfcd797bd636a4c16aeeae52bf2097355f9a2dde98c5d53cb34496d98ac1fea0f6523f8ebbaf8d3548576131cdb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4138851.exe
Filesize
337KB

MD5
ab69ee444e7482237a22d6108a9783f4

SHA1
2b625c6c67f8769b3d770ac2ecafa8f728ea72bf

SHA256
aacc9a31fa45c004e31c85ba6fac0baac9acf7deb39fd00db50883cf41c62d49

SHA512
c7cd7179c7be5167bdbe6a7fe3e73208a1895dfcd797bd636a4c16aeeae52bf2097355f9a2dde98c5d53cb34496d98ac1fea0f6523f8ebbaf8d3548576131cdb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2119491.exe
Filesize
217KB

MD5
e8c39b8dc7e4cf5f04517b57228578ea

SHA1
5d3fd2ab34f0a0284bdb20549f31b2a0848ac9e6

SHA256
064ff9b0f1b9fe3e0b41c4b76864c7403b9186f97a62cad06d671e6ce35a8b3c

SHA512
ae65cafbbbbdb7242849c3e79568e6f3e34717ffcbffcf3b765613e01d77e1f0485679359883ebf254ad4856efa3cf280b477b7f2fd2c126a04ab079a7c7de32

Download Submit
memory/2928-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-66-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-59-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2928-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads