healer | 920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435

Analysis

max time kernel
117s
max time network
140s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe
Size

1.3MB
MD5

6b23454bad63865ae6cffa874721c6b6
SHA1

606d59fcd8a2bb5112d19224c2eaac8a8a28b81a
SHA256

920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435
SHA512

6c832d92f760ee61321567284e990f7391b0dff6f0e7e0d7d665d1851aba3fc23551bb6e0dba2f77bd7d0055557a2b4752f2ac3e69d5fc8c4f206eb255103bc8
SSDEEP

24576:xyzrqzymUv0p3WpC/4lds/w7ty+NRN55EK9yDjga2WaZaT5aE:kzr3dv0pLQXV7tywz5iK9KjgaRka

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/872-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/872-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/872-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/872-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/872-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z6361555.exez8494297.exez5447062.exez9274886.exeq5268617.exe

pid process

2388 z6361555.exe
2272 z8494297.exe
2604 z5447062.exe
2720 z9274886.exe
2788 q5268617.exe

pid	process
2388	z6361555.exe
2272	z8494297.exe
2604	z5447062.exe
2720	z9274886.exe
2788	q5268617.exe

Loads dropped DLL 15 IoCs

Processes:

920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exez6361555.exez8494297.exez5447062.exez9274886.exeq5268617.exeWerFault.exe

pid	process
2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe
2388	z6361555.exe
2388	z6361555.exe
2272	z8494297.exe
2272	z8494297.exe
2604	z5447062.exe
2604	z5447062.exe
2720	z9274886.exe
2720	z9274886.exe
2720	z9274886.exe
2788	q5268617.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exez6361555.exez8494297.exez5447062.exez9274886.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6361555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8494297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5447062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9274886.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q5268617.exe

description pid process target process

PID 2788 set thread context of 872 2788 q5268617.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 2788 WerFault.exe q5268617.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

872 AppLaunch.exe
872 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 872 AppLaunch.exe

description	pid	process	target process
PID 2788 set thread context of 872	2788	q5268617.exe	AppLaunch.exe

pid	pid_target	process	target process
1684	2788	WerFault.exe	q5268617.exe

pid	process
872	AppLaunch.exe
872	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	872	AppLaunch.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exez6361555.exez8494297.exez5447062.exez9274886.exeq5268617.exe

description	pid	process	target process
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2468 wrote to memory of 2388	2468	920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe	z6361555.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2388 wrote to memory of 2272	2388	z6361555.exe	z8494297.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2272 wrote to memory of 2604	2272	z8494297.exe	z5447062.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2604 wrote to memory of 2720	2604	z5447062.exe	z9274886.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2720 wrote to memory of 2788	2720	z9274886.exe	q5268617.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 2672	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 872	2788	q5268617.exe	AppLaunch.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe
PID 2788 wrote to memory of 1684	2788	q5268617.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe
"C:\Users\Admin\AppData\Local\Temp\920567ac7bbbc194f2ba5adb99e31cbc8049f4fe050d840700fda0185fe93435.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6361555.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6361555.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8494297.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8494297.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5447062.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5447062.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9274886.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9274886.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 280
7⤵
- Loads dropped DLL
- Program crash
PID:1684

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6361555.exe
Filesize
1.2MB

MD5
79ec03f6c8e2204e51baf597655ed47d

SHA1
cf1664aef3f18c183e21393e2b6473c10019d56c

SHA256
ba8e2102ca4a56de4c6e270aa7ac8af3dc2357e01f0967b83c757654b1d1b433

SHA512
d4a0f20944f0d43face37c841ea1dc0bb05d2fb2bf051713a418c9da8d849131426a9ec3e8e0c5009370eb17e3baeaca133a324d5db561bf0efc75eb87b16166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6361555.exe
Filesize
1.2MB

MD5
79ec03f6c8e2204e51baf597655ed47d

SHA1
cf1664aef3f18c183e21393e2b6473c10019d56c

SHA256
ba8e2102ca4a56de4c6e270aa7ac8af3dc2357e01f0967b83c757654b1d1b433

SHA512
d4a0f20944f0d43face37c841ea1dc0bb05d2fb2bf051713a418c9da8d849131426a9ec3e8e0c5009370eb17e3baeaca133a324d5db561bf0efc75eb87b16166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8494297.exe
Filesize
1.0MB

MD5
e9ccd38674bac03ab4f3300fe1aeef76

SHA1
cd1d0e874c3bf22f096a003fc240c888839cc2b3

SHA256
0649cb7baaa3f49ab04160074d25974cf12853447ff300202059f54ec90159f4

SHA512
f15eeb7004ff90d92b9f6b71018f0e5136fd118489ff18b1f23a14eaa67cbd87f45c2b5a789a348a0cd948d62481b4c5aa32ffc325c0ceb9d281860838944f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8494297.exe
Filesize
1.0MB

MD5
e9ccd38674bac03ab4f3300fe1aeef76

SHA1
cd1d0e874c3bf22f096a003fc240c888839cc2b3

SHA256
0649cb7baaa3f49ab04160074d25974cf12853447ff300202059f54ec90159f4

SHA512
f15eeb7004ff90d92b9f6b71018f0e5136fd118489ff18b1f23a14eaa67cbd87f45c2b5a789a348a0cd948d62481b4c5aa32ffc325c0ceb9d281860838944f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5447062.exe
Filesize
882KB

MD5
db96db26f7c6529914a1fa3f4361a4bf

SHA1
681fbc696195caa2be32361a39d730aeaef17c83

SHA256
f34170f30b809fb486f6450a1c53bc2c04dd570a8bc5e77d9adbc35dc5aba4c0

SHA512
91d47fbd136d22ef1c4f38d40f6542689c7dc3c1c7418da044340e8f29ed6ae1ad3407687b123527e9ed077dee9815d82679e50ec902784b4a981841c545befc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5447062.exe
Filesize
882KB

MD5
db96db26f7c6529914a1fa3f4361a4bf

SHA1
681fbc696195caa2be32361a39d730aeaef17c83

SHA256
f34170f30b809fb486f6450a1c53bc2c04dd570a8bc5e77d9adbc35dc5aba4c0

SHA512
91d47fbd136d22ef1c4f38d40f6542689c7dc3c1c7418da044340e8f29ed6ae1ad3407687b123527e9ed077dee9815d82679e50ec902784b4a981841c545befc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9274886.exe
Filesize
492KB

MD5
b7e80a18ee12b01c5080a424b098df31

SHA1
854fa9bb5fe05bdf9c5d1a6f453449b57efa2827

SHA256
8ebe773ae75cdc4e32a0bc72525e996fb2a2d9dd96b24185ea6c2b696c1f8f33

SHA512
daa2b91c2f51126497556cbed88030f15ee9071bbade8f4441a78b0d49181866c4d589d5df56af4c86cf88562e45f8319fe4a8a664c26e1928da7bb3cd11388a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9274886.exe
Filesize
492KB

MD5
b7e80a18ee12b01c5080a424b098df31

SHA1
854fa9bb5fe05bdf9c5d1a6f453449b57efa2827

SHA256
8ebe773ae75cdc4e32a0bc72525e996fb2a2d9dd96b24185ea6c2b696c1f8f33

SHA512
daa2b91c2f51126497556cbed88030f15ee9071bbade8f4441a78b0d49181866c4d589d5df56af4c86cf88562e45f8319fe4a8a664c26e1928da7bb3cd11388a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6361555.exe
Filesize
1.2MB

MD5
79ec03f6c8e2204e51baf597655ed47d

SHA1
cf1664aef3f18c183e21393e2b6473c10019d56c

SHA256
ba8e2102ca4a56de4c6e270aa7ac8af3dc2357e01f0967b83c757654b1d1b433

SHA512
d4a0f20944f0d43face37c841ea1dc0bb05d2fb2bf051713a418c9da8d849131426a9ec3e8e0c5009370eb17e3baeaca133a324d5db561bf0efc75eb87b16166

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6361555.exe
Filesize
1.2MB

MD5
79ec03f6c8e2204e51baf597655ed47d

SHA1
cf1664aef3f18c183e21393e2b6473c10019d56c

SHA256
ba8e2102ca4a56de4c6e270aa7ac8af3dc2357e01f0967b83c757654b1d1b433

SHA512
d4a0f20944f0d43face37c841ea1dc0bb05d2fb2bf051713a418c9da8d849131426a9ec3e8e0c5009370eb17e3baeaca133a324d5db561bf0efc75eb87b16166

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8494297.exe
Filesize
1.0MB

MD5
e9ccd38674bac03ab4f3300fe1aeef76

SHA1
cd1d0e874c3bf22f096a003fc240c888839cc2b3

SHA256
0649cb7baaa3f49ab04160074d25974cf12853447ff300202059f54ec90159f4

SHA512
f15eeb7004ff90d92b9f6b71018f0e5136fd118489ff18b1f23a14eaa67cbd87f45c2b5a789a348a0cd948d62481b4c5aa32ffc325c0ceb9d281860838944f5d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8494297.exe
Filesize
1.0MB

MD5
e9ccd38674bac03ab4f3300fe1aeef76

SHA1
cd1d0e874c3bf22f096a003fc240c888839cc2b3

SHA256
0649cb7baaa3f49ab04160074d25974cf12853447ff300202059f54ec90159f4

SHA512
f15eeb7004ff90d92b9f6b71018f0e5136fd118489ff18b1f23a14eaa67cbd87f45c2b5a789a348a0cd948d62481b4c5aa32ffc325c0ceb9d281860838944f5d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5447062.exe
Filesize
882KB

MD5
db96db26f7c6529914a1fa3f4361a4bf

SHA1
681fbc696195caa2be32361a39d730aeaef17c83

SHA256
f34170f30b809fb486f6450a1c53bc2c04dd570a8bc5e77d9adbc35dc5aba4c0

SHA512
91d47fbd136d22ef1c4f38d40f6542689c7dc3c1c7418da044340e8f29ed6ae1ad3407687b123527e9ed077dee9815d82679e50ec902784b4a981841c545befc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5447062.exe
Filesize
882KB

MD5
db96db26f7c6529914a1fa3f4361a4bf

SHA1
681fbc696195caa2be32361a39d730aeaef17c83

SHA256
f34170f30b809fb486f6450a1c53bc2c04dd570a8bc5e77d9adbc35dc5aba4c0

SHA512
91d47fbd136d22ef1c4f38d40f6542689c7dc3c1c7418da044340e8f29ed6ae1ad3407687b123527e9ed077dee9815d82679e50ec902784b4a981841c545befc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9274886.exe
Filesize
492KB

MD5
b7e80a18ee12b01c5080a424b098df31

SHA1
854fa9bb5fe05bdf9c5d1a6f453449b57efa2827

SHA256
8ebe773ae75cdc4e32a0bc72525e996fb2a2d9dd96b24185ea6c2b696c1f8f33

SHA512
daa2b91c2f51126497556cbed88030f15ee9071bbade8f4441a78b0d49181866c4d589d5df56af4c86cf88562e45f8319fe4a8a664c26e1928da7bb3cd11388a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9274886.exe
Filesize
492KB

MD5
b7e80a18ee12b01c5080a424b098df31

SHA1
854fa9bb5fe05bdf9c5d1a6f453449b57efa2827

SHA256
8ebe773ae75cdc4e32a0bc72525e996fb2a2d9dd96b24185ea6c2b696c1f8f33

SHA512
daa2b91c2f51126497556cbed88030f15ee9071bbade8f4441a78b0d49181866c4d589d5df56af4c86cf88562e45f8319fe4a8a664c26e1928da7bb3cd11388a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5268617.exe
Filesize
860KB

MD5
f0913cad2e81f9ca4d7bc1cbe40a994c

SHA1
fdabba980f7265cea7798da75b711f1c8d9b1628

SHA256
d6c0548eebdc0119acf1b131d00d936c2a3ec4f961fadd652dd1c1e55c605061

SHA512
ce422fa59c728c5e682bd3f8e86a563d065a727ef7e576748251548c16cd04b5d5be1010413092d3b92f31d09e690ea08a8810e72277c49a94cbbda38cf0d4e2

Download Submit
memory/872-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/872-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/872-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/872-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/872-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/872-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/872-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/872-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads