phorphiex | e5bbb80e14cc81f6dcc7263461f6650f1fb23cbdbcdacc4d42406621c6f97123

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

phorphiex redline xmrig buy tg @fatherofcarders credential_access discovery evasion execution infostealer loader miner persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
55a4er5wo
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmysldrv.exe

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-63.dat	family_phorphiex
behavioral1/files/0x00050000000194c1-231.dat	family_phorphiex
behavioral1/files/0x00050000000194fa-262.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5468-451-0x0000000000370000-0x00000000003C2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1892 created 1244	1892	nxmr.exe	21
PID 1892 created 1244	1892	nxmr.exe	21
PID 1612 created 1244	1612	wupgrdsv.exe	21
PID 1612 created 1244	1612	wupgrdsv.exe	21

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 22 IoCs

miner

resource	yara_rule
behavioral1/memory/1612-199-0x000000013F870000-0x000000013FDE6000-memory.dmp	xmrig
behavioral1/memory/3372-411-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3372-433-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3372-438-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3372-459-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/3372-463-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/6616-489-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-488-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-484-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-483-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-491-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-498-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-497-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-496-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-495-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-494-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-482-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-487-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-486-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-485-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-500-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/6616-499-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2916	powershell.exe
3240	powershell.exe
3624	powershell.exe
3536	powershell.exe

Contacts a large (1329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 32 IoCs

pid	Process
3036	t1.exe
1652	sysmablsvr.exe
1960	722432858.exe
1596	peinf.exe
1892	nxmr.exe
2672	a.exe
860	66b2871b47a8b_uhigdbf.exe
2472	clamer.exe
2664	fseawd.exe
1568	tdrpload.exe
1612	wupgrdsv.exe
3464	SrbijaSetupHokej.exe
3516	SrbijaSetupHokej.tmp
3632	m.exe
3732	11.exe
3824	t.exe
3900	s.exe
3972	sysarddrvs.exe
4012	newtpp.exe
4092	sysmysldrv.exe
3208	Destover.exe
3980	twztl.exe
3900	npp.exe
3904	Documents.exe
4300	404927301.exe
4352	622424394.exe
4460	1097233107.exe
5388	66c6fcb30b9dd_123p.exe
5468	MYNEWRDX.exe
5516	whrenps.exe
476	Process not Found
6444	etzpikspwykg.exe

Loads dropped DLL 39 IoCs

pid	Process
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1652	sysmablsvr.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
2120	cmd.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
2596	taskeng.exe
1900	4363463463464363463463463.exe
3464	SrbijaSetupHokej.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
3972	sysarddrvs.exe
3900	npp.exe
3900	npp.exe
4092	sysmysldrv.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
1900	4363463463464363463463463.exe
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	t1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe"	newtpp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
483	raw.githubusercontent.com
485	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6556	powercfg.exe
6548	powercfg.exe
6540	powercfg.exe
6532	powercfg.exe
6268	powercfg.exe
6260	powercfg.exe
6252	powercfg.exe
6244	powercfg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 3372	1612	wupgrdsv.exe	55
PID 6444 set thread context of 6564	6444	etzpikspwykg.exe	119
PID 6444 set thread context of 6616	6444	etzpikspwykg.exe	122

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysmablsvr.exe	t1.exe
File created	C:\Windows\Tasks\Test Task17.job	fseawd.exe
File created	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe
File created	C:\Windows\sysmysldrv.exe	newtpp.exe
File opened for modification	C:\Windows\sysmysldrv.exe	newtpp.exe
File created	C:\Windows\sysmablsvr.exe	t1.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3492	sc.exe
3652	sc.exe
3680	sc.exe
3724	sc.exe
6396	sc.exe
6404	sc.exe
6368	sc.exe
6276	sc.exe
3536	sc.exe
3740	sc.exe
3632	sc.exe
3760	sc.exe
3496	sc.exe
4004	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SrbijaSetupHokej.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Destover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmysldrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whrenps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fseawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SrbijaSetupHokej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYNEWRDX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2764	schtasks.exe
3336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1892	nxmr.exe
1892	nxmr.exe
2916	powershell.exe
1892	nxmr.exe
1892	nxmr.exe
1612	wupgrdsv.exe
1612	wupgrdsv.exe
3240	powershell.exe
1612	wupgrdsv.exe
1612	wupgrdsv.exe
3624	powershell.exe
3536	powershell.exe
5388	66c6fcb30b9dd_123p.exe
5468	MYNEWRDX.exe
5468	MYNEWRDX.exe
5468	MYNEWRDX.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
5388	66c6fcb30b9dd_123p.exe
6444	etzpikspwykg.exe
6444	etzpikspwykg.exe
6444	etzpikspwykg.exe
6444	etzpikspwykg.exe
6444	etzpikspwykg.exe
6444	etzpikspwykg.exe
6444	etzpikspwykg.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
3972	sysarddrvs.exe
4092	sysmysldrv.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	4363463463464363463463463.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeLockMemoryPrivilege	3372	notepad.exe
Token: SeLockMemoryPrivilege	3372	notepad.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	5468	MYNEWRDX.exe
Token: SeShutdownPrivilege	6244	powercfg.exe
Token: SeShutdownPrivilege	6268	powercfg.exe
Token: SeShutdownPrivilege	6260	powercfg.exe
Token: SeShutdownPrivilege	6252	powercfg.exe
Token: SeShutdownPrivilege	6548	powercfg.exe
Token: SeShutdownPrivilege	6532	powercfg.exe
Token: SeShutdownPrivilege	6540	powercfg.exe
Token: SeShutdownPrivilege	6556	powercfg.exe
Token: SeLockMemoryPrivilege	6616	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe
3372	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3036	1900	4363463463464363463463463.exe	32
PID 1900 wrote to memory of 3036	1900	4363463463464363463463463.exe	32
PID 1900 wrote to memory of 3036	1900	4363463463464363463463463.exe	32
PID 1900 wrote to memory of 3036	1900	4363463463464363463463463.exe	32
PID 3036 wrote to memory of 1652	3036	t1.exe	33
PID 3036 wrote to memory of 1652	3036	t1.exe	33
PID 3036 wrote to memory of 1652	3036	t1.exe	33
PID 3036 wrote to memory of 1652	3036	t1.exe	33
PID 1652 wrote to memory of 1960	1652	sysmablsvr.exe	35
PID 1652 wrote to memory of 1960	1652	sysmablsvr.exe	35
PID 1652 wrote to memory of 1960	1652	sysmablsvr.exe	35
PID 1652 wrote to memory of 1960	1652	sysmablsvr.exe	35
PID 1900 wrote to memory of 1596	1900	4363463463464363463463463.exe	36
PID 1900 wrote to memory of 1596	1900	4363463463464363463463463.exe	36
PID 1900 wrote to memory of 1596	1900	4363463463464363463463463.exe	36
PID 1900 wrote to memory of 1596	1900	4363463463464363463463463.exe	36
PID 1900 wrote to memory of 1892	1900	4363463463464363463463463.exe	37
PID 1900 wrote to memory of 1892	1900	4363463463464363463463463.exe	37
PID 1900 wrote to memory of 1892	1900	4363463463464363463463463.exe	37
PID 1900 wrote to memory of 1892	1900	4363463463464363463463463.exe	37
PID 1900 wrote to memory of 2672	1900	4363463463464363463463463.exe	38
PID 1900 wrote to memory of 2672	1900	4363463463464363463463463.exe	38
PID 1900 wrote to memory of 2672	1900	4363463463464363463463463.exe	38
PID 1900 wrote to memory of 2672	1900	4363463463464363463463463.exe	38
PID 1900 wrote to memory of 860	1900	4363463463464363463463463.exe	39
PID 1900 wrote to memory of 860	1900	4363463463464363463463463.exe	39
PID 1900 wrote to memory of 860	1900	4363463463464363463463463.exe	39
PID 1900 wrote to memory of 860	1900	4363463463464363463463463.exe	39
PID 860 wrote to memory of 2120	860	66b2871b47a8b_uhigdbf.exe	40
PID 860 wrote to memory of 2120	860	66b2871b47a8b_uhigdbf.exe	40
PID 860 wrote to memory of 2120	860	66b2871b47a8b_uhigdbf.exe	40
PID 2120 wrote to memory of 2472	2120	cmd.exe	42
PID 2120 wrote to memory of 2472	2120	cmd.exe	42
PID 2120 wrote to memory of 2472	2120	cmd.exe	42
PID 2472 wrote to memory of 2664	2472	clamer.exe	43
PID 2472 wrote to memory of 2664	2472	clamer.exe	43
PID 2472 wrote to memory of 2664	2472	clamer.exe	43
PID 2472 wrote to memory of 2664	2472	clamer.exe	43
PID 1900 wrote to memory of 1568	1900	4363463463464363463463463.exe	44
PID 1900 wrote to memory of 1568	1900	4363463463464363463463463.exe	44
PID 1900 wrote to memory of 1568	1900	4363463463464363463463463.exe	44
PID 1900 wrote to memory of 1568	1900	4363463463464363463463463.exe	44
PID 2916 wrote to memory of 2764	2916	powershell.exe	47
PID 2916 wrote to memory of 2764	2916	powershell.exe	47
PID 2916 wrote to memory of 2764	2916	powershell.exe	47
PID 2596 wrote to memory of 1612	2596	taskeng.exe	51
PID 2596 wrote to memory of 1612	2596	taskeng.exe	51
PID 2596 wrote to memory of 1612	2596	taskeng.exe	51
PID 3240 wrote to memory of 3336	3240	powershell.exe	54
PID 3240 wrote to memory of 3336	3240	powershell.exe	54
PID 3240 wrote to memory of 3336	3240	powershell.exe	54
PID 1612 wrote to memory of 3372	1612	wupgrdsv.exe	55
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 1900 wrote to memory of 3464	1900	4363463463464363463463463.exe	56
PID 3464 wrote to memory of 3516	3464	SrbijaSetupHokej.exe	57
PID 3464 wrote to memory of 3516	3464	SrbijaSetupHokej.exe	57
PID 3464 wrote to memory of 3516	3464	SrbijaSetupHokej.exe	57
PID 3464 wrote to memory of 3516	3464	SrbijaSetupHokej.exe	57
PID 3464 wrote to memory of 3516	3464	SrbijaSetupHokej.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\722432858.exe
        
        C:\Users\Admin\AppData\Local\Temp\722432858.exe
        5⤵
        Executes dropped EXE
        
        PID:1960
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - Executes dropped EXE
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\Files\a.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\a.exe"
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\Files\66b2871b47a8b_uhigdbf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\66b2871b47a8b_uhigdbf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2664
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\is-K40S7.tmp\SrbijaSetupHokej.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-K40S7.tmp\SrbijaSetupHokej.tmp" /SL5="$501E6,3939740,937984,C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3516
- - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    - Executes dropped EXE
    PID:3632
- - C:\Users\Admin\AppData\Local\Temp\Files\11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3732
  - - C:\Windows\sysarddrvs.exe
      C:\Windows\sysarddrvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3492
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3652
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3536
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3760
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3740
    - - C:\Users\Admin\AppData\Local\Temp\404927301.exe
        
        C:\Users\Admin\AppData\Local\Temp\404927301.exe
        5⤵
        Executes dropped EXE
        
        PID:4300
- - C:\Users\Admin\AppData\Local\Temp\Files\t.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t.exe"
    3⤵
    - Executes dropped EXE
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\Files\s.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
    3⤵
    - Executes dropped EXE
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4012
  - - C:\Windows\sysmysldrv.exe
      C:\Windows\sysmysldrv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:4092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3680
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3496
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4004
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3724
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\1097233107.exe
        
        C:\Users\Admin\AppData\Local\Temp\1097233107.exe
        5⤵
        Executes dropped EXE
        
        PID:4460
- - C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    - Executes dropped EXE
    PID:3980
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\622424394.exe
      C:\Users\Admin\AppData\Local\Temp\622424394.exe
      4⤵
      Executes dropped EXE
      PID:4352
- - C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Users\Admin\AppData\Local\Temp\Files\66c6fcb30b9dd_123p.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\66c6fcb30b9dd_123p.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5388
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6244
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6252
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6260
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6268
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "VIFLJRPW"
      4⤵
      Launches sc.exe
      PID:6276
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:6368
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6396
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "VIFLJRPW"
      4⤵
      Launches sc.exe
      PID:6404
- - C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3336
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3372

C:\Windows\system32\taskeng.exe
taskeng.exe {6CCD5442-0318-456B-91E5-BDD865E89797} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1612
- C:\ProgramData\liii\whrenps.exe
  C:\ProgramData\liii\whrenps.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5516

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6444
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6540
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6556
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6564
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
990bd3596e7eb5b57f91567f909cada2

SHA1
15e131cc477b320ea4f1e6ad3465b71bb25da923

SHA256
c88c9d274d064198af193f191fe7e968fcb8dfa8b38dd95949ec246f1b9be425

SHA512
6f67016c1b3834b6f9c0facf3b478b8d39ad5a43895f9f990be8b14396ed519530303ce0dfc6b024966bb3c5789915c3957e87def3ac477a073cc36d0eb9628e

Download Submit
C:\Users\Admin\AppData\Local\Temp\404927301.exe

Filesize
19KB

MD5
e9be5fcdbb65af72e3cc268a846608cc

SHA1
c3654860cec82d28852375bc7ad192e26b0ea240

SHA256
69d5bbd72a7c5ebb74b727849ec63898cb8672a1211bcc1750d7affdcbfc5759

SHA512
fbedc4634ab30192482878cee3d62b38d1c6a98be4ff2ef17b60238761b58fe4f0ad302beb9e35af57f3cc64b45df988c30ab9126bae4c81b66fdc2ec8399e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB59B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\66c6fcb30b9dd_123p.exe

Filesize
10.4MB

MD5
025ebe0a476fe1a27749e6da0eea724f

SHA1
fe844380280463b927b9368f9eace55eb97baab7

SHA256
2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2

SHA512
5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe

Filesize
72KB

MD5
18774ed56160b809332da7cdc439f633

SHA1
14c7495d81801f849695e709143ab582accfef27

SHA256
b1bbf3464d0f4b2461c7d56bbfc181091440e2e49588188e314ef2522e4f8c3d

SHA512
906890a6228807e8a6576849e043dbf6e5845ccf483aa536a959430759c40a1f93a920934853cbd0ea84a6347909167960c36095aefad2f3ada0628525b51e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB5BD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a0c29a41e93679b047a3479bc570532

SHA1
3367306b2fbe6755c8304cb3f212a88ad6813f80

SHA256
0e3384690ea33ec311eb51fcb5fb0627e12d964b11acaa60cd470352124879a1

SHA512
9ff112cca09d306101d830975b5290e056ea98b43c8c4ebaf5a48f74233b1edafaa38931cc06f2ab4373e51df6a97eb58ff4c85539e26ee3e1333f68b240a44f

Download Submit
\Users\Admin\AppData\Local\Temp\722432858.exe

Filesize
19KB

MD5
dce86bff5ca04db752b19245e111a636

SHA1
f1e3a56d5be946483b5eac047540a37d6af60f03

SHA256
1467e4763d7a4b66d33c01714e7ed6192c8518688a72f91bf37a51ef35095a6d

SHA512
448bd6926688f32afef0d759dcdbe10915736e51f0b4b3059d402e58d677b4ed915460809a91680bd2eb640fc830dfaeda02484157a94f1d8ce2447e3a795ef8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\66b2871b47a8b_uhigdbf.exe

Filesize
898KB

MD5
eeecdefa939b534bc8f774a15e05ab0f

SHA1
4a20176527706aea33b22f436f6856572a9e4946

SHA256
3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c

SHA512
3253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Destover.exe

Filesize
89KB

MD5
e904bf93403c0fb08b9683a9e858c73e

SHA1
8397c1e1f0b9d53a114850f6b3ae8c1f2b2d1590

SHA256
4c2efe2f1253b94f16a1cab032f36c7883e4f6c8d9fc17d0ee553b5afb16330c

SHA512
d83f63737f7fcac9179ca262aa5c32bba7e140897736b63474afcf4f972ffb4c317c5e1d6f7ebe6a0f2d77db8f41204031314d7749c7185ec3e3b5286d77c1a3

Download Submit
\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe

Filesize
4.5MB

MD5
528b9a26fd19839aeba788171c568311

SHA1
8276a9db275dccad133cc7d48cf0b8d97b91f1e2

SHA256
f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482

SHA512
255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438

Download Submit
\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

Filesize
92KB

MD5
be9388b42333b3d4e163b0ace699897b

SHA1
4e1109772eb9cb59c557380822166fe1664403bd

SHA256
d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f

SHA512
5f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\npp.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
1382c0a4a9e0a9a2c942458652a4a0e4

SHA1
55ed8ebd6281c280c3e77763773d789a6057e743

SHA256
4cb590dfafb7653379326e840d9b904a3cf05451999c4f9eb66c6e7116b68875

SHA512
cc1ba7e779536b57409c974f16b0d8706fdf8749fb9eca36716d4e84d4f420a650b6476ac08570e684ad1e492da3bbacc15a4e5be4b94a1b708909d683da0b7e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\t1.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
453KB

MD5
135b0687503cb65f57e494eed9a6f551

SHA1
a4ed81f972c32d3170b5b33e67a41abbd6c1184a

SHA256
acc6551cf9cf2b8292f8f384467920fc633fdcdc4e5431794dd850ae66a8a457

SHA512
9253143306c6733180b0bea3c7463b4ca8d22a970a65eae05f766ced87ed973c0670867f69b8c72d318d93719da712276e64041a8b4269e818e41de113f6e22d

Download Submit
\Users\Admin\AppData\Local\Temp\is-K40S7.tmp\SrbijaSetupHokej.tmp

Filesize
2.6MB

MD5
c1f245b6132c60c691b6c82d580c01dd

SHA1
e57c80890d412168525482b877f5968eab188088

SHA256
988f006a8ab95ad735ab271a0b027e1fdb215d3fa4c247fd2fdad52ac5534b77

SHA512
8223a20fdb33dd2e8333ac45711d7d11539baa4401d650e82dc4b95949324740f00834e42b695bd64e7092ae3be1c69ea21c297bba8518605e98bf3590556ffd

Download Submit
memory/1612-199-0x000000013F870000-0x000000013FDE6000-memory.dmp

Filesize
5.5MB

Download
memory/1892-186-0x000000013F7F0000-0x000000013FD66000-memory.dmp

Filesize
5.5MB

Download
memory/1900-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

Filesize
4KB

Download
memory/1900-2-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/1900-1-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/1900-58-0x0000000074DA0000-0x000000007548E000-memory.dmp

Filesize
6.9MB

Download
memory/1900-57-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

Filesize
4KB

Download
memory/2916-182-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2916-183-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/3208-462-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-437-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3208-432-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3240-196-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/3240-195-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/3372-433-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3372-463-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3372-411-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3372-438-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3372-459-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3372-200-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/3464-414-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3464-207-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3516-415-0x0000000000400000-0x00000000006A9000-memory.dmp

Filesize
2.7MB

Download
memory/5388-456-0x0000000077D50000-0x0000000077D52000-memory.dmp

Filesize
8KB

Download
memory/5388-454-0x0000000077D50000-0x0000000077D52000-memory.dmp

Filesize
8KB

Download
memory/5388-452-0x0000000077D50000-0x0000000077D52000-memory.dmp

Filesize
8KB

Download
memory/5388-457-0x0000000140000000-0x0000000141999000-memory.dmp

Filesize
25.6MB

Download
memory/5468-451-0x0000000000370000-0x00000000003C2000-memory.dmp

Filesize
328KB

Download
memory/6444-472-0x0000000140000000-0x0000000141999000-memory.dmp

Filesize
25.6MB

Download
memory/6564-478-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6564-477-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6564-476-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6564-475-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6564-474-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6564-493-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6616-488-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-483-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-491-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-498-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-497-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-496-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-495-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-494-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-482-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-481-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-484-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-487-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-486-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-485-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-489-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-500-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/6616-499-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download