healer | 3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742e

General

Target

3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe
Size

897KB
MD5

80845924d2dbe7d8b2166db81d265fe0
SHA1

406f257d405d571f85d53585a37435ea56f75afb
SHA256

3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742e
SHA512

1ca234ae7557dfc5691edea1bfb4cc12d6bf6af350a65ce36f7e8405896270f12e49fa253ddcf7de7b0e215b09e4ff743bca2d263ab156739a324745c0e6d9dc
SSDEEP

12288:DMrdy90dX6ZWgnR06+07CJO+sdtDTo51Bi/89+lIg2eXm2KlqronPHi6KHl0l5fi:SyiSrreJO+WDToPGN+gZm2ka6bCPl

Score

10^/10

healer redline jokes discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jokes

C2

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1112-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1925188.exe	family_redline
behavioral1/memory/5028-44-0x0000000000780000-0x00000000007B0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r7095938.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	r7095938.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 9 IoCs

Processes:

z5771142.exez2397745.exez5453283.exeq3620391.exer7095938.exeexplonde.exes1925188.exeexplonde.exeexplonde.exe

pid	process
2820	z5771142.exe
2092	z2397745.exe
64	z5453283.exe
3304	q3620391.exe
3992	r7095938.exe
396	explonde.exe
5028	s1925188.exe
3472	explonde.exe
3736	explonde.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exez5771142.exez2397745.exez5453283.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5771142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2397745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5453283.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

q3620391.exe

description pid process target process

PID 3304 set thread context of 1112 3304 q3620391.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1896 3304 WerFault.exe q3620391.exe

description	pid	process	target process
PID 3304 set thread context of 1112	3304	q3620391.exe	AppLaunch.exe

pid	pid_target	process	target process
1896	3304	WerFault.exe	q3620391.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeschtasks.execmd.exe3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exer7095938.exeexplonde.execacls.exez5453283.exeq3620391.exes1925188.execacls.exez5771142.exez2397745.execmd.exeAppLaunch.execacls.execacls.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r7095938.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explonde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z5453283.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3620391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s1925188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z5771142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z2397745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3876 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1112 AppLaunch.exe
1112 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1112 AppLaunch.exe

pid	process
3876	schtasks.exe

pid	process
1112	AppLaunch.exe
1112	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1112	AppLaunch.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exez5771142.exez2397745.exez5453283.exeq3620391.exer7095938.exeexplonde.execmd.exe

description	pid	process	target process
PID 4192 wrote to memory of 2820	4192	3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe	z5771142.exe
PID 4192 wrote to memory of 2820	4192	3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe	z5771142.exe
PID 4192 wrote to memory of 2820	4192	3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe	z5771142.exe
PID 2820 wrote to memory of 2092	2820	z5771142.exe	z2397745.exe
PID 2820 wrote to memory of 2092	2820	z5771142.exe	z2397745.exe
PID 2820 wrote to memory of 2092	2820	z5771142.exe	z2397745.exe
PID 2092 wrote to memory of 64	2092	z2397745.exe	z5453283.exe
PID 2092 wrote to memory of 64	2092	z2397745.exe	z5453283.exe
PID 2092 wrote to memory of 64	2092	z2397745.exe	z5453283.exe
PID 64 wrote to memory of 3304	64	z5453283.exe	q3620391.exe
PID 64 wrote to memory of 3304	64	z5453283.exe	q3620391.exe
PID 64 wrote to memory of 3304	64	z5453283.exe	q3620391.exe
PID 3304 wrote to memory of 4484	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 4484	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 4484	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 3304 wrote to memory of 1112	3304	q3620391.exe	AppLaunch.exe
PID 64 wrote to memory of 3992	64	z5453283.exe	r7095938.exe
PID 64 wrote to memory of 3992	64	z5453283.exe	r7095938.exe
PID 64 wrote to memory of 3992	64	z5453283.exe	r7095938.exe
PID 3992 wrote to memory of 396	3992	r7095938.exe	explonde.exe
PID 3992 wrote to memory of 396	3992	r7095938.exe	explonde.exe
PID 3992 wrote to memory of 396	3992	r7095938.exe	explonde.exe
PID 2092 wrote to memory of 5028	2092	z2397745.exe	s1925188.exe
PID 2092 wrote to memory of 5028	2092	z2397745.exe	s1925188.exe
PID 2092 wrote to memory of 5028	2092	z2397745.exe	s1925188.exe
PID 396 wrote to memory of 3876	396	explonde.exe	schtasks.exe
PID 396 wrote to memory of 3876	396	explonde.exe	schtasks.exe
PID 396 wrote to memory of 3876	396	explonde.exe	schtasks.exe
PID 396 wrote to memory of 3880	396	explonde.exe	cmd.exe
PID 396 wrote to memory of 3880	396	explonde.exe	cmd.exe
PID 396 wrote to memory of 3880	396	explonde.exe	cmd.exe
PID 3880 wrote to memory of 3288	3880	cmd.exe	cmd.exe
PID 3880 wrote to memory of 3288	3880	cmd.exe	cmd.exe
PID 3880 wrote to memory of 3288	3880	cmd.exe	cmd.exe
PID 3880 wrote to memory of 2560	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 2560	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 2560	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 4288	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 4288	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 4288	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 4796	3880	cmd.exe	cmd.exe
PID 3880 wrote to memory of 4796	3880	cmd.exe	cmd.exe
PID 3880 wrote to memory of 4796	3880	cmd.exe	cmd.exe
PID 3880 wrote to memory of 3776	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 3776	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 3776	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 736	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 736	3880	cmd.exe	cacls.exe
PID 3880 wrote to memory of 736	3880	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe
"C:\Users\Admin\AppData\Local\Temp\3aff409c042546fd4fc90bf02502c6460e0dfb0ad9d406fc939615babdb2742eN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5771142.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5771142.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2397745.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2397745.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5453283.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5453283.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3620391.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3620391.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 552
6⤵
- Program crash
PID:1896

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7095938.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7095938.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
- System Location Discovery: System Language Discovery
PID:3288

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
8⤵
- System Location Discovery: System Language Discovery
PID:2560

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
8⤵
- System Location Discovery: System Language Discovery
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
- System Location Discovery: System Language Discovery
PID:4796

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
8⤵
- System Location Discovery: System Language Discovery
PID:3776

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
8⤵
- System Location Discovery: System Language Discovery
PID:736

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1925188.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1925188.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3304 -ip 3304
1⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5771142.exe

Filesize
639KB

MD5
84465def7d2fb37691c5ff0e4bb0035d

SHA1
b0a467ee217df41ad89906992e0abd3cab079998

SHA256
01c06789ae9f0b06d97dc0169033259adfdef9886ad3443b314164333537a82f

SHA512
55a526e3e321e73fcd4a851f8576ec2051d9a26ddb70aac404fec053a71e48d4760ff0a6f1677df026ed3a2158029531e58b2116de9152f870a89576a506b44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2397745.exe

Filesize
456KB

MD5
c46e6c3e0c8418703fda428ac2f0345a

SHA1
9d8ced5faddc0a62610176d18d4c546ccbd67cb5

SHA256
99315d9aaeee73594faf51f41ed76300fbe110c19788bc42a510f015db28d403

SHA512
bc503d896147a0afa873a299ea13006a2f6717df13906890d249f3c124191e689c62e4c0622bc4586b93ed86ecf815e6fe8c97fe97776c0b19c5df8e92eb5e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s1925188.exe

Filesize
174KB

MD5
c1037f18b0f062fcdde86edb77aaace0

SHA1
8f3c22c37e296e072e39a98f93cbf01445dad65a

SHA256
e43f8acd8318ed6e5aa2644fae8303d4c9a5a2829da0e22dc50352d95fa31cc1

SHA512
017e77f805fb0f45c77b189da987ada8e2dffd352d1855438e79dcdd5dd151d44acf7fdcbdf82cc9f4a82a3fe30d12aa2593024b86f1012e25597a74650f615d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5453283.exe

Filesize
301KB

MD5
18db01c358228e38eb90f940fcbe4193

SHA1
80ffe3c870e621122678bcd44e3f2ac7e9cf83f1

SHA256
941fe27645b26b0f3705c6c9ee42b4473d804ef70a535561caa3a9f52575a430

SHA512
69d38964ee365a06bb6b884695e94757ec368ca9909198c1e78084c5e5e6ec628b092bccbe2013e4f3549570c49a629dbb7f0d747de05b50ab7ebbf354c17e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q3620391.exe

Filesize
190KB

MD5
994938d4b1f58a9f57ad2a4781fca7fc

SHA1
95b458f72559c58402b4b16987ca21ce42f3a73d

SHA256
54f80be349f1d4a9c8d855ad5fb00601e4e7d56dc4d40c22c1afe950ffa9edac

SHA512
02174a88c83e604feb06ce185490ad1ab6412599846f5f2913f92eb0f84a4090a1d838b61311fc2a1b3da27578a6c1338947c1d94734b3e3adeb9ed71dd6aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
222KB

MD5
72bdc38bc642bd50901b75c325679b51

SHA1
ce59d066c9db2824693aeac389bd11d45ac53a29

SHA256
81eca1210cbdc34de5fdefb201982618a5d5b3995b7b3233a71ba7d035b2bec0

SHA512
6cf22cb55b6d48bc2c37e7f9f4749aaf2ad40fee0771f2302d7120e67ddd98e964bd6fab1632276e62d0160c36b35273f72e597cc5ef12418234771df8713b9c

Download Submit
memory/1112-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5028-44-0x0000000000780000-0x00000000007B0000-memory.dmp

Filesize
192KB

Download
memory/5028-45-0x0000000002880000-0x0000000002886000-memory.dmp

Filesize
24KB

Download
memory/5028-46-0x000000000AA90000-0x000000000B0A8000-memory.dmp

Filesize
6.1MB

Download
memory/5028-47-0x000000000A5F0000-0x000000000A6FA000-memory.dmp

Filesize
1.0MB

Download
memory/5028-48-0x000000000A530000-0x000000000A542000-memory.dmp

Filesize
72KB

Download
memory/5028-49-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/5028-50-0x0000000002800000-0x000000000284C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads