fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
Size

986KB
MD5

f571f9ba675a979292735c5f3a1d4e09
SHA1

d60929a1a78d39a86ee379b318ff96c79a861800
SHA256

fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92
SHA512

4e0b1ef15743158ea8cd9d13c5011de748e1583c8f0b9a21bb17806e8567b1046c8f3c050de678ec255c2ce0560689da1a85a61dc79c3b465caaa029ba04123c
SSDEEP

24576:o5CvHHvH7MgHNCntKmrQTE2Wxn7rrAq4jungDygJOMWJO:pjqQmr97rwX0JO

Score

8^/10

discovery evasion

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
984	setup2.exe
1372	sxeE84.tmp
1164	services.exe
1720	services.exe
1664	services.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1204	attrib.exe

Loads dropped DLL 11 IoCs

pid	Process
2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
984	setup2.exe
984	setup2.exe
984	setup2.exe
984	setup2.exe
984	setup2.exe
984	setup2.exe
980	cmd.exe
980	cmd.exe
1164	services.exe
1164	services.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IIS\ir2.cn	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\sxeE73.tmp	setup2.exe
File opened for modification	C:\Windows\SysWOW64\IIS\regedit	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\stuffmp3.txt	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\winlogon.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\aliases.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\ir.cn	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\mirc.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\regedit	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\vars.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\sxeE84.tmp	setup2.exe
File created	C:\Windows\SysWOW64\IIS\7081275.tmp	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\mirc.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\services.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\7081353.tmp	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\sxeE74.tmp	setup2.exe
File opened for modification	C:\Windows\SysWOW64\IIS\services.log	services.exe
File opened for modification	C:\Windows\SysWOW64\IIS	attrib.exe
File created	C:\Windows\SysWOW64\IIS\ir.cn	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\7081337.tmp	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\servers.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\servers.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\7081306.tmp	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\setup2.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\vars.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\services.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\IIS\setup2.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\services.ini	cmd.exe
File created	C:\Windows\SysWOW64\IIS\7081259.tmp	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\aliases.ini	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\ircnz.dll	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\mirc.REG	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\ir2.cn	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\SysWOW64\IIS\7081290.tmp	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\services.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\ircnz.dll	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\mirc.REG	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\stuffmp3.txt	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File opened for modification	C:\Windows\SysWOW64\IIS\winlogon.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Windows Login Service Uninstaller.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
File created	C:\Windows\Windows Login Service Uninstaller.exe	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2004	regedit.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 2028 wrote to memory of 984	2028	fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe	27
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 984 wrote to memory of 1372	984	setup2.exe	28
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 1372 wrote to memory of 980	1372	sxeE84.tmp	29
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1164	980	cmd.exe	31
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 1204	980	cmd.exe	33
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 980 wrote to memory of 632	980	cmd.exe	34
PID 632 wrote to memory of 1960	632	net.exe	35
PID 632 wrote to memory of 1960	632	net.exe	35
PID 632 wrote to memory of 1960	632	net.exe	35
PID 632 wrote to memory of 1960	632	net.exe	35
PID 632 wrote to memory of 1960	632	net.exe	35
PID 632 wrote to memory of 1960	632	net.exe	35
PID 632 wrote to memory of 1960	632	net.exe	35
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 2004	980	cmd.exe	37
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 980 wrote to memory of 976	980	cmd.exe	38
PID 976 wrote to memory of 2032	976	net.exe	39

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1204	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
"C:\Users\Admin\AppData\Local\Temp\fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\IIS\setup2.exe
  "C:\Windows\system32\IIS\setup2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\IIS\sxeE84.tmp
    "C:\Windows\SysWOW64\IIS\sxeE84.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt0238.bat
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\SysWOW64\IIS\services.exe
        
        services -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1164
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib ../iis +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1204
    - - C:\Windows\SysWOW64\net.exe
        
        net start "Sound Management"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Sound Management"
        6⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s mirc.reg
        5⤵
        Runs .reg file with regedit
        
        PID:2004
    - - C:\Windows\SysWOW64\net.exe
        
        net start "Sound Management"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Sound Management"
        6⤵
        
        PID:2032

C:\Windows\SysWOW64\IIS\services.exe
C:\Windows\SysWOW64\IIS\services.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\IIS\services.exe
C:\Windows\SysWOW64\IIS\services.exe
1⤵
- Executes dropped EXE
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt0238.bat

Filesize
865B

MD5
0e5e2044cc54574d43a7dfc2aa923719

SHA1
d45e187d832169cc132e45c839d6e7e98f738313

SHA256
d3cfdabfb6a871be5189a2718a70a3886094d65f261cae3ada3c2e986c854bb0

SHA512
e50950f8921fa34e12d160b15f3ecbfc5a02bbb2800119cc82571767ac8fe74c0df61199a7809434b85b6b8afcf0458c841cdd6fcc4fb17bd3b449233f3d2b25

Download Submit
C:\Windows\SysWOW64\IIS\mirc.REG

Filesize
151B

MD5
9a1c20549988cd4e3ce73449b8d4bbd9

SHA1
d9c7f5d506cd06d957b84a9d3a2342195f727fd8

SHA256
4d41b734b123ed45dbfd512ac2bed042da04b7b8fc621acd899f55c6707fbc5b

SHA512
8b1640079f72bf83d91fa2e73c781ace84eef2b30cab3feb8a98d5c12dd5d1df888d05d6574c0707454d633b92afd6e1378996775b3ed213f30895a0af38732c

Download Submit
C:\Windows\SysWOW64\IIS\regedit

Filesize
1KB

MD5
82646b2eb26ed5cf8398d666cb14a484

SHA1
588fefe65a14278583d24c5d1b2ae0180c7aab05

SHA256
5225eab5dafafa5635d887f0d246c97448a693b325a20c584e7315e95fa04d05

SHA512
092d48ea28197c3ab59b391b70a42a1069a78ce02996e2c20eb0d62a4e931dab19e816a4f549ba1cfbcd13e78866c413c31ba874ca2b65402629678d4cb94041

Download Submit
C:\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
C:\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
C:\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
C:\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
C:\Windows\SysWOW64\IIS\services.ini

Filesize
265B

MD5
550a5099acb0db1d245a94ace5c2631b

SHA1
64e71e7c91be45fc59ac283ec927c5db276a5ed5

SHA256
66bd2edab998aed343d65bc9684729d4052c00b056e22724c7bf32f515c477f8

SHA512
109e6db59f0cf702ef773e300bce071e8af5a2cfc026fcb1b5c8f425b79575251983896221bb95ffbcf44912bea09c303f77c177d1ce7a4a69d8d9bc132aa800

Download Submit
C:\Windows\SysWOW64\IIS\setup2.exe

Filesize
115KB

MD5
f959a6c0e577dec0a8cd617d3b5a254b

SHA1
b1e8f45371709218dbfb1711a11337ca8243222e

SHA256
78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

SHA512
abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

Download Submit
C:\Windows\SysWOW64\IIS\setup2.exe

Filesize
115KB

MD5
f959a6c0e577dec0a8cd617d3b5a254b

SHA1
b1e8f45371709218dbfb1711a11337ca8243222e

SHA256
78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

SHA512
abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

Download Submit
C:\Windows\SysWOW64\IIS\sxeE84.tmp

Filesize
146KB

MD5
810f556084a89f6a1253094cbd568338

SHA1
385ff65ec8c5f07d84961b5ea588b128fa5d09f2

SHA256
e619487112ad29ba127ab34e188520dab9ecf3c5550c7e302ac69f949f9cf2a6

SHA512
fb2738d24c33b0f1ad09ef4bb7fb207a37f6faef3f19bfd6a32a0331b7f9952046f8f86fb09e13554c3a05e833b270337e6cee88ef2e5230c1f11b2e6a5eb034

Download Submit
C:\Windows\SysWOW64\IIS\sxeE84.tmp

Filesize
146KB

MD5
810f556084a89f6a1253094cbd568338

SHA1
385ff65ec8c5f07d84961b5ea588b128fa5d09f2

SHA256
e619487112ad29ba127ab34e188520dab9ecf3c5550c7e302ac69f949f9cf2a6

SHA512
fb2738d24c33b0f1ad09ef4bb7fb207a37f6faef3f19bfd6a32a0331b7f9952046f8f86fb09e13554c3a05e833b270337e6cee88ef2e5230c1f11b2e6a5eb034

Download Submit
\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
\Windows\SysWOW64\IIS\services.exe

Filesize
52KB

MD5
6b95926f1c12fb3e6605844e91855be8

SHA1
589b1d027bf59553cabc948d8f81e19e2347c958

SHA256
0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

SHA512
31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

Download Submit
\Windows\SysWOW64\IIS\setup2.exe

Filesize
115KB

MD5
f959a6c0e577dec0a8cd617d3b5a254b

SHA1
b1e8f45371709218dbfb1711a11337ca8243222e

SHA256
78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

SHA512
abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

Download Submit
\Windows\SysWOW64\IIS\setup2.exe

Filesize
115KB

MD5
f959a6c0e577dec0a8cd617d3b5a254b

SHA1
b1e8f45371709218dbfb1711a11337ca8243222e

SHA256
78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

SHA512
abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

Download Submit
\Windows\SysWOW64\IIS\setup2.exe

Filesize
115KB

MD5
f959a6c0e577dec0a8cd617d3b5a254b

SHA1
b1e8f45371709218dbfb1711a11337ca8243222e

SHA256
78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

SHA512
abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

Download Submit
\Windows\SysWOW64\IIS\setup2.exe

Filesize
115KB

MD5
f959a6c0e577dec0a8cd617d3b5a254b

SHA1
b1e8f45371709218dbfb1711a11337ca8243222e

SHA256
78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

SHA512
abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

Download Submit
\Windows\SysWOW64\IIS\sxeE73.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
\Windows\SysWOW64\IIS\sxeE84.tmp

Filesize
146KB

MD5
810f556084a89f6a1253094cbd568338

SHA1
385ff65ec8c5f07d84961b5ea588b128fa5d09f2

SHA256
e619487112ad29ba127ab34e188520dab9ecf3c5550c7e302ac69f949f9cf2a6

SHA512
fb2738d24c33b0f1ad09ef4bb7fb207a37f6faef3f19bfd6a32a0331b7f9952046f8f86fb09e13554c3a05e833b270337e6cee88ef2e5230c1f11b2e6a5eb034

Download Submit
\Windows\SysWOW64\IIS\sxeE84.tmp

Filesize
146KB

MD5
810f556084a89f6a1253094cbd568338

SHA1
385ff65ec8c5f07d84961b5ea588b128fa5d09f2

SHA256
e619487112ad29ba127ab34e188520dab9ecf3c5550c7e302ac69f949f9cf2a6

SHA512
fb2738d24c33b0f1ad09ef4bb7fb207a37f6faef3f19bfd6a32a0331b7f9952046f8f86fb09e13554c3a05e833b270337e6cee88ef2e5230c1f11b2e6a5eb034

Download Submit
memory/984-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/984-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/984-91-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/984-90-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/984-92-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads