healer | 6999e285a21c0015069790b5d40f342931296ccee99f81c54b397895c834d529

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe
Size

1.0MB
MD5

4c0bd452627664d8f7e83f2aa685f136
SHA1

853a43a89952cd61f14d7d7867c869c412c05de8
SHA256

bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9
SHA512

403aba530ecc48d52ab6b1195ad294ac6cae18cdeba7e4160e73dc2cb05c16333336b46985b904e54f86450d6e8ab9639ea0035265955a7b570d3bca627e1edc
SSDEEP

24576:sy/Oee7lyTzxl3bngiZf64FceIIBE9GPcPpUjZsv:bmebbxttBAks

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2996-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2996-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2996-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2996-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z9256539.exez8069113.exez1264209.exez2193750.exeq4610508.exe

pid process

1972 z9256539.exe
2144 z8069113.exe
2104 z1264209.exe
2756 z2193750.exe
2604 q4610508.exe

pid	process
1972	z9256539.exe
2144	z8069113.exe
2104	z1264209.exe
2756	z2193750.exe
2604	q4610508.exe

Loads dropped DLL 15 IoCs

Processes:

bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exez9256539.exez8069113.exez1264209.exez2193750.exeq4610508.exeWerFault.exe

pid	process
2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe
1972	z9256539.exe
1972	z9256539.exe
2144	z8069113.exe
2144	z8069113.exe
2104	z1264209.exe
2104	z1264209.exe
2756	z2193750.exe
2756	z2193750.exe
2756	z2193750.exe
2604	q4610508.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exez9256539.exez8069113.exez1264209.exez2193750.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9256539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8069113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1264209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2193750.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q4610508.exe

description pid process target process

PID 2604 set thread context of 2996 2604 q4610508.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2556 2604 WerFault.exe q4610508.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2996 AppLaunch.exe
2996 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2996 AppLaunch.exe

description	pid	process	target process
PID 2604 set thread context of 2996	2604	q4610508.exe	AppLaunch.exe

pid	pid_target	process	target process
2556	2604	WerFault.exe	q4610508.exe

pid	process
2996	AppLaunch.exe
2996	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2996	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exez9256539.exez8069113.exez1264209.exez2193750.exeq4610508.exe

description	pid	process	target process
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 2448 wrote to memory of 1972	2448	bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe	z9256539.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 1972 wrote to memory of 2144	1972	z9256539.exe	z8069113.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2144 wrote to memory of 2104	2144	z8069113.exe	z1264209.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2104 wrote to memory of 2756	2104	z1264209.exe	z2193750.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2756 wrote to memory of 2604	2756	z2193750.exe	q4610508.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2728	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2680	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2820	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe
PID 2604 wrote to memory of 2996	2604	q4610508.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe
"C:\Users\Admin\AppData\Local\Temp\bbb0836a75e58db5d86127dcd7cf0809b6cfb5f71968a32eceb67b7495b44be9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9256539.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9256539.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8069113.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8069113.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1264209.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1264209.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2193750.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2193750.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 300
7⤵
- Loads dropped DLL
- Program crash
PID:2556

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9256539.exe
Filesize
982KB

MD5
78f53f3228aea3f68aa4bd6131c80397

SHA1
18ed704b2e194b2d42fe69fbfdb2d81f2bd4113c

SHA256
3057861cf9b58fffe14d7ce72feaf45db346b6d92cbf0d50c072518d08c9fdcc

SHA512
aeeb571209800d5a264c04e2a0ce602365811ee83e556d52a6a0dbe21bf962b3d6c070b67fb7866f79eca5c54e0e6052670befd90eb1d81274ec0e08758ae4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9256539.exe
Filesize
982KB

MD5
78f53f3228aea3f68aa4bd6131c80397

SHA1
18ed704b2e194b2d42fe69fbfdb2d81f2bd4113c

SHA256
3057861cf9b58fffe14d7ce72feaf45db346b6d92cbf0d50c072518d08c9fdcc

SHA512
aeeb571209800d5a264c04e2a0ce602365811ee83e556d52a6a0dbe21bf962b3d6c070b67fb7866f79eca5c54e0e6052670befd90eb1d81274ec0e08758ae4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8069113.exe
Filesize
799KB

MD5
29b1f8ad9708404e9f0889137a545577

SHA1
2a1e1fe1d19feb7611fea7bade694b604f98f0d7

SHA256
9094b7429bf7cfd36f84443371cacf44c27844c77c59d42a37448d4f45f789e8

SHA512
bcbf079c26080650730396afe823de699ad00d02679461b872fb66e6a54361eb42aa929575f7d5315ea7fbf97e88e5b83fb6386f61dddf684be08c3a7c5cac11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8069113.exe
Filesize
799KB

MD5
29b1f8ad9708404e9f0889137a545577

SHA1
2a1e1fe1d19feb7611fea7bade694b604f98f0d7

SHA256
9094b7429bf7cfd36f84443371cacf44c27844c77c59d42a37448d4f45f789e8

SHA512
bcbf079c26080650730396afe823de699ad00d02679461b872fb66e6a54361eb42aa929575f7d5315ea7fbf97e88e5b83fb6386f61dddf684be08c3a7c5cac11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1264209.exe
Filesize
617KB

MD5
61b0215d4986fb2f933e03b8d7570721

SHA1
361bdc6c6a40806379ca58e135f303de58a1dfac

SHA256
96c26ab78e14aad921dd869e8a0081a434b75a09e0a9411063bcf3b6f829b332

SHA512
26596adc6d6166ff7ac1595e41da7cd430854412406c826886d018744f3da8d5452e478fd930e8fb958bd771f7d13de7d59662f91378fa8c875620efcb887f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1264209.exe
Filesize
617KB

MD5
61b0215d4986fb2f933e03b8d7570721

SHA1
361bdc6c6a40806379ca58e135f303de58a1dfac

SHA256
96c26ab78e14aad921dd869e8a0081a434b75a09e0a9411063bcf3b6f829b332

SHA512
26596adc6d6166ff7ac1595e41da7cd430854412406c826886d018744f3da8d5452e478fd930e8fb958bd771f7d13de7d59662f91378fa8c875620efcb887f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2193750.exe
Filesize
346KB

MD5
df799a3442e93681598598bd824b31d0

SHA1
302f6d463a24ccd87649131a6afeaf6c8adf1af9

SHA256
d8711f056781d45d6e3e89103bf3f7fb6733a7143d62ceae7cb886fbcb66054a

SHA512
b6bcf6cb462779389e65f5927ee807a25433e62262a454c274166fab7b4b4bddccfd2c2f893c28380f4968dc5e9c22aa84d975ae64796db58303fee6e75a7f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2193750.exe
Filesize
346KB

MD5
df799a3442e93681598598bd824b31d0

SHA1
302f6d463a24ccd87649131a6afeaf6c8adf1af9

SHA256
d8711f056781d45d6e3e89103bf3f7fb6733a7143d62ceae7cb886fbcb66054a

SHA512
b6bcf6cb462779389e65f5927ee807a25433e62262a454c274166fab7b4b4bddccfd2c2f893c28380f4968dc5e9c22aa84d975ae64796db58303fee6e75a7f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9256539.exe
Filesize
982KB

MD5
78f53f3228aea3f68aa4bd6131c80397

SHA1
18ed704b2e194b2d42fe69fbfdb2d81f2bd4113c

SHA256
3057861cf9b58fffe14d7ce72feaf45db346b6d92cbf0d50c072518d08c9fdcc

SHA512
aeeb571209800d5a264c04e2a0ce602365811ee83e556d52a6a0dbe21bf962b3d6c070b67fb7866f79eca5c54e0e6052670befd90eb1d81274ec0e08758ae4f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9256539.exe
Filesize
982KB

MD5
78f53f3228aea3f68aa4bd6131c80397

SHA1
18ed704b2e194b2d42fe69fbfdb2d81f2bd4113c

SHA256
3057861cf9b58fffe14d7ce72feaf45db346b6d92cbf0d50c072518d08c9fdcc

SHA512
aeeb571209800d5a264c04e2a0ce602365811ee83e556d52a6a0dbe21bf962b3d6c070b67fb7866f79eca5c54e0e6052670befd90eb1d81274ec0e08758ae4f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8069113.exe
Filesize
799KB

MD5
29b1f8ad9708404e9f0889137a545577

SHA1
2a1e1fe1d19feb7611fea7bade694b604f98f0d7

SHA256
9094b7429bf7cfd36f84443371cacf44c27844c77c59d42a37448d4f45f789e8

SHA512
bcbf079c26080650730396afe823de699ad00d02679461b872fb66e6a54361eb42aa929575f7d5315ea7fbf97e88e5b83fb6386f61dddf684be08c3a7c5cac11

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8069113.exe
Filesize
799KB

MD5
29b1f8ad9708404e9f0889137a545577

SHA1
2a1e1fe1d19feb7611fea7bade694b604f98f0d7

SHA256
9094b7429bf7cfd36f84443371cacf44c27844c77c59d42a37448d4f45f789e8

SHA512
bcbf079c26080650730396afe823de699ad00d02679461b872fb66e6a54361eb42aa929575f7d5315ea7fbf97e88e5b83fb6386f61dddf684be08c3a7c5cac11

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1264209.exe
Filesize
617KB

MD5
61b0215d4986fb2f933e03b8d7570721

SHA1
361bdc6c6a40806379ca58e135f303de58a1dfac

SHA256
96c26ab78e14aad921dd869e8a0081a434b75a09e0a9411063bcf3b6f829b332

SHA512
26596adc6d6166ff7ac1595e41da7cd430854412406c826886d018744f3da8d5452e478fd930e8fb958bd771f7d13de7d59662f91378fa8c875620efcb887f35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1264209.exe
Filesize
617KB

MD5
61b0215d4986fb2f933e03b8d7570721

SHA1
361bdc6c6a40806379ca58e135f303de58a1dfac

SHA256
96c26ab78e14aad921dd869e8a0081a434b75a09e0a9411063bcf3b6f829b332

SHA512
26596adc6d6166ff7ac1595e41da7cd430854412406c826886d018744f3da8d5452e478fd930e8fb958bd771f7d13de7d59662f91378fa8c875620efcb887f35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2193750.exe
Filesize
346KB

MD5
df799a3442e93681598598bd824b31d0

SHA1
302f6d463a24ccd87649131a6afeaf6c8adf1af9

SHA256
d8711f056781d45d6e3e89103bf3f7fb6733a7143d62ceae7cb886fbcb66054a

SHA512
b6bcf6cb462779389e65f5927ee807a25433e62262a454c274166fab7b4b4bddccfd2c2f893c28380f4968dc5e9c22aa84d975ae64796db58303fee6e75a7f78

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2193750.exe
Filesize
346KB

MD5
df799a3442e93681598598bd824b31d0

SHA1
302f6d463a24ccd87649131a6afeaf6c8adf1af9

SHA256
d8711f056781d45d6e3e89103bf3f7fb6733a7143d62ceae7cb886fbcb66054a

SHA512
b6bcf6cb462779389e65f5927ee807a25433e62262a454c274166fab7b4b4bddccfd2c2f893c28380f4968dc5e9c22aa84d975ae64796db58303fee6e75a7f78

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4610508.exe
Filesize
227KB

MD5
8806b2ba59a6ccca2f9d9f7aa9655fe1

SHA1
24b0f9a44ce09a3826a559b90ca99af01b10de2c

SHA256
d7d92a182c602cf844fde5defb5d65885a7fd5c484f071bf22254c7831360e9f

SHA512
7d6013d81b9f82d20271375d3c8a2579c00a5b2af2369a3cf17f07590dcb6f339a0333b0252a141a4243f5d148f170b0581bcc6a9724a1d24660822d8c740823

Download Submit
memory/2996-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2996-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2996-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads