healer | 0a21dd97dbf41c86eac2b1269ae86745665079c44c43b4aeceb13bd980d38285

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
Size

1.1MB
MD5

6b21b1a50b225c5fbe8fc6f0a7065b2f
SHA1

523d48b2aa9227cd915555221e66b2a1acc4f617
SHA256

0a21dd97dbf41c86eac2b1269ae86745665079c44c43b4aeceb13bd980d38285
SHA512

15b1d919109fad10a45125437b29b8589e192c43cdbee41571976d8476e6e79b11d54d2dcce1351b3c00bdf1e249a3e7f208c9ba61e26220ee18b827baa440ed
SSDEEP

24576:hy5Y3WxzTRJ/kaD4nUZOwz2jNoUVuIgJMcnu1ce5tuPSZ7uZ/OHEI:UsWxzTRmaMULANowkMcuOeUSZuZ

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-58-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2708-56-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2708-55-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2708-60-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2708-62-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

Processes:

z9435241.exez6354729.exez2327218.exez2036875.exeq1413465.exe

pid process

1624 z9435241.exe
1704 z6354729.exe
3016 z2327218.exe
2668 z2036875.exe
2560 q1413465.exe

pid	process
1624	z9435241.exe
1704	z6354729.exe
3016	z2327218.exe
2668	z2036875.exe
2560	q1413465.exe

Loads dropped DLL 15 IoCs

Processes:

6b21b1a50b225c5fbe8fc6f0a7065b2f.exez9435241.exez6354729.exez2327218.exez2036875.exeq1413465.exeWerFault.exe

pid	process
1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
1624	z9435241.exe
1624	z9435241.exe
1704	z6354729.exe
1704	z6354729.exe
3016	z2327218.exe
3016	z2327218.exe
2668	z2036875.exe
2668	z2036875.exe
2668	z2036875.exe
2560	q1413465.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6b21b1a50b225c5fbe8fc6f0a7065b2f.exez9435241.exez6354729.exez2327218.exez2036875.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9435241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6354729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2327218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2036875.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q1413465.exe

description pid process target process

PID 2560 set thread context of 2708 2560 q1413465.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 2560 WerFault.exe q1413465.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2708 AppLaunch.exe
2708 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2708 AppLaunch.exe

description	pid	process	target process
PID 2560 set thread context of 2708	2560	q1413465.exe	AppLaunch.exe

pid	pid_target	process	target process
2484	2560	WerFault.exe	q1413465.exe

pid	process
2708	AppLaunch.exe
2708	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2708	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

6b21b1a50b225c5fbe8fc6f0a7065b2f.exez9435241.exez6354729.exez2327218.exez2036875.exeq1413465.exe

description	pid	process	target process
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1068 wrote to memory of 1624	1068	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1624 wrote to memory of 1704	1624	z9435241.exe	z6354729.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 1704 wrote to memory of 3016	1704	z6354729.exe	z2327218.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 3016 wrote to memory of 2668	3016	z2327218.exe	z2036875.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2668 wrote to memory of 2560	2668	z2036875.exe	q1413465.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2708	2560	q1413465.exe	AppLaunch.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe
PID 2560 wrote to memory of 2484	2560	q1413465.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
"C:\Users\Admin\AppData\Local\Temp\6b21b1a50b225c5fbe8fc6f0a7065b2f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 272
7⤵
- Loads dropped DLL
- Program crash
PID:2484

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
Filesize
997KB

MD5
7a642afab8394d6aaa5cbae66866b7b6

SHA1
c71576789b2555a912848fc42810fee82c4e6a7e

SHA256
02ea308cb24014385d6cc05d5b7a6ded87cf292ed5e3204f6d70372d74026878

SHA512
4a98dae51dad95babba2ba27f68ceb0df1cdcf07b43671d45f5e160eddd6b3e7c6848c407eb9d627ed0f7fb15bcb2f0da1aa41db71e4f3fe34a14708756bbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
Filesize
997KB

MD5
7a642afab8394d6aaa5cbae66866b7b6

SHA1
c71576789b2555a912848fc42810fee82c4e6a7e

SHA256
02ea308cb24014385d6cc05d5b7a6ded87cf292ed5e3204f6d70372d74026878

SHA512
4a98dae51dad95babba2ba27f68ceb0df1cdcf07b43671d45f5e160eddd6b3e7c6848c407eb9d627ed0f7fb15bcb2f0da1aa41db71e4f3fe34a14708756bbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
Filesize
814KB

MD5
6b81abe1cbb731807e5397fb00f472c7

SHA1
60f8115d3a0e22e9c6ffc6b0d1c0f41862a164b5

SHA256
69f21d8eca0608fbfec66d4b08f63d7cd78d09eb9f98d330f3c0efcc537ea8fc

SHA512
3e9f6785f848f2ed51fa32a1f9b256b258b0f65f221f3eb028c94dccc3814704b1981eb737ed35347b84c01971f2c55688f7b8e92b2152efd8e98831fac0c95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
Filesize
814KB

MD5
6b81abe1cbb731807e5397fb00f472c7

SHA1
60f8115d3a0e22e9c6ffc6b0d1c0f41862a164b5

SHA256
69f21d8eca0608fbfec66d4b08f63d7cd78d09eb9f98d330f3c0efcc537ea8fc

SHA512
3e9f6785f848f2ed51fa32a1f9b256b258b0f65f221f3eb028c94dccc3814704b1981eb737ed35347b84c01971f2c55688f7b8e92b2152efd8e98831fac0c95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
Filesize
631KB

MD5
91b6723929525c96efc46be907630dd2

SHA1
f0b216cd013db666fd314fa470e28f3411131a2a

SHA256
95ab92acde581f0ab501c1759d24dae1677b7f956de0c285a190177411b5e7c7

SHA512
7cecb178912166fe3073c1ecb8db024c7fc0cdc341f330b886c1be66ec73edbd541f10e9e8cb07d9f14483e9669729b0ec9ffd5156525b1c7f6c6baa9f625452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
Filesize
631KB

MD5
91b6723929525c96efc46be907630dd2

SHA1
f0b216cd013db666fd314fa470e28f3411131a2a

SHA256
95ab92acde581f0ab501c1759d24dae1677b7f956de0c285a190177411b5e7c7

SHA512
7cecb178912166fe3073c1ecb8db024c7fc0cdc341f330b886c1be66ec73edbd541f10e9e8cb07d9f14483e9669729b0ec9ffd5156525b1c7f6c6baa9f625452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
Filesize
353KB

MD5
6fd8861be51e00b9ea6b96aebdab3e5f

SHA1
f2bc414fc7b847485b6b6e21484c161e99fe9a00

SHA256
0171e32a44ed1119add8bd15362ed84075b26c9b1336a75b356a87c4fb2341b6

SHA512
5d46b98926cc20de85a3b2678c90d5c0b8faf9c46c75b2da83c0bb1c0f7cd513ca395664442d4fb79fa387bfc8c09ffe6783d990782909a4968d7673cd8dbc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
Filesize
353KB

MD5
6fd8861be51e00b9ea6b96aebdab3e5f

SHA1
f2bc414fc7b847485b6b6e21484c161e99fe9a00

SHA256
0171e32a44ed1119add8bd15362ed84075b26c9b1336a75b356a87c4fb2341b6

SHA512
5d46b98926cc20de85a3b2678c90d5c0b8faf9c46c75b2da83c0bb1c0f7cd513ca395664442d4fb79fa387bfc8c09ffe6783d990782909a4968d7673cd8dbc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
Filesize
997KB

MD5
7a642afab8394d6aaa5cbae66866b7b6

SHA1
c71576789b2555a912848fc42810fee82c4e6a7e

SHA256
02ea308cb24014385d6cc05d5b7a6ded87cf292ed5e3204f6d70372d74026878

SHA512
4a98dae51dad95babba2ba27f68ceb0df1cdcf07b43671d45f5e160eddd6b3e7c6848c407eb9d627ed0f7fb15bcb2f0da1aa41db71e4f3fe34a14708756bbb6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
Filesize
997KB

MD5
7a642afab8394d6aaa5cbae66866b7b6

SHA1
c71576789b2555a912848fc42810fee82c4e6a7e

SHA256
02ea308cb24014385d6cc05d5b7a6ded87cf292ed5e3204f6d70372d74026878

SHA512
4a98dae51dad95babba2ba27f68ceb0df1cdcf07b43671d45f5e160eddd6b3e7c6848c407eb9d627ed0f7fb15bcb2f0da1aa41db71e4f3fe34a14708756bbb6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
Filesize
814KB

MD5
6b81abe1cbb731807e5397fb00f472c7

SHA1
60f8115d3a0e22e9c6ffc6b0d1c0f41862a164b5

SHA256
69f21d8eca0608fbfec66d4b08f63d7cd78d09eb9f98d330f3c0efcc537ea8fc

SHA512
3e9f6785f848f2ed51fa32a1f9b256b258b0f65f221f3eb028c94dccc3814704b1981eb737ed35347b84c01971f2c55688f7b8e92b2152efd8e98831fac0c95b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
Filesize
814KB

MD5
6b81abe1cbb731807e5397fb00f472c7

SHA1
60f8115d3a0e22e9c6ffc6b0d1c0f41862a164b5

SHA256
69f21d8eca0608fbfec66d4b08f63d7cd78d09eb9f98d330f3c0efcc537ea8fc

SHA512
3e9f6785f848f2ed51fa32a1f9b256b258b0f65f221f3eb028c94dccc3814704b1981eb737ed35347b84c01971f2c55688f7b8e92b2152efd8e98831fac0c95b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
Filesize
631KB

MD5
91b6723929525c96efc46be907630dd2

SHA1
f0b216cd013db666fd314fa470e28f3411131a2a

SHA256
95ab92acde581f0ab501c1759d24dae1677b7f956de0c285a190177411b5e7c7

SHA512
7cecb178912166fe3073c1ecb8db024c7fc0cdc341f330b886c1be66ec73edbd541f10e9e8cb07d9f14483e9669729b0ec9ffd5156525b1c7f6c6baa9f625452

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
Filesize
631KB

MD5
91b6723929525c96efc46be907630dd2

SHA1
f0b216cd013db666fd314fa470e28f3411131a2a

SHA256
95ab92acde581f0ab501c1759d24dae1677b7f956de0c285a190177411b5e7c7

SHA512
7cecb178912166fe3073c1ecb8db024c7fc0cdc341f330b886c1be66ec73edbd541f10e9e8cb07d9f14483e9669729b0ec9ffd5156525b1c7f6c6baa9f625452

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
Filesize
353KB

MD5
6fd8861be51e00b9ea6b96aebdab3e5f

SHA1
f2bc414fc7b847485b6b6e21484c161e99fe9a00

SHA256
0171e32a44ed1119add8bd15362ed84075b26c9b1336a75b356a87c4fb2341b6

SHA512
5d46b98926cc20de85a3b2678c90d5c0b8faf9c46c75b2da83c0bb1c0f7cd513ca395664442d4fb79fa387bfc8c09ffe6783d990782909a4968d7673cd8dbc09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
Filesize
353KB

MD5
6fd8861be51e00b9ea6b96aebdab3e5f

SHA1
f2bc414fc7b847485b6b6e21484c161e99fe9a00

SHA256
0171e32a44ed1119add8bd15362ed84075b26c9b1336a75b356a87c4fb2341b6

SHA512
5d46b98926cc20de85a3b2678c90d5c0b8faf9c46c75b2da83c0bb1c0f7cd513ca395664442d4fb79fa387bfc8c09ffe6783d990782909a4968d7673cd8dbc09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
memory/2708-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2708-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads