amadey | cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf

Analysis

max time kernel
120s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe
Size

1.0MB
MD5

5e7ec84696d9296af7409bd6995169a6
SHA1

e2f76f58ffee25ec383f9822c6d4fa96711667e5
SHA256

cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf
SHA512

265fcf1c9977c403ff268f93da2670910e545bba9ef3eafb794b7b6547a1a1fce17882b735edce9561d2f7145884cbd337ebbb91eafb3428aa2ed2352ada21b0
SSDEEP

24576:AyDqBEc9fsukSYefsp/r5dA6GKfYeY8p4mdhHyrQow:HOGc9fZkSYR1k6GmYP8p4mkQo

Score

10^/10

amadey dcrat redline duna rosn discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

duna

176.113.115.145:4125

Attributes

auth_value
8879c60b4740ac2d7fb8831d4d3c396f

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v0705JJ.exetz4095.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0705JJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0705JJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4095.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0705JJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0705JJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0705JJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0705JJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4095.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	5096	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1296-215-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-217-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-214-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-219-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-221-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-223-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-225-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-227-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-229-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-231-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-233-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-235-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-237-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-239-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-241-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-243-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-245-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline
behavioral1/memory/1296-247-0x0000000004AD0000-0x0000000004B0F000-memory.dmp	family_redline

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe	dcrat
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe	dcrat
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe	dcrat
behavioral1/memory/2112-1185-0x0000000000DE0000-0x0000000000EB6000-memory.dmp	dcrat
C:\odt\wininit.exe	dcrat
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe	dcrat
C:\Program Files\Windows Mail\SearchApp.exe	dcrat
C:\Program Files\Windows Mail\SearchApp.exe	dcrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y15ys15.exelegenda.exeDCRatBuild.exeWScript.exefontCrt.exefontCrt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y15ys15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legenda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	fontCrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	fontCrt.exe

Executes dropped EXE 15 IoCs

Processes:

zap9810.exezap7133.exezap5296.exetz4095.exev0705JJ.exew98XI28.exexepmF88.exey15ys15.exelegenda.exeDCRatBuild.exelegenda.exefontCrt.exefontCrt.exeSearchApp.exelegenda.exe

pid	process
3888	zap9810.exe
2292	zap7133.exe
1632	zap5296.exe
1360	tz4095.exe
3528	v0705JJ.exe
1296	w98XI28.exe
5036	xepmF88.exe
1208	y15ys15.exe
4108	legenda.exe
1756	DCRatBuild.exe
3512	legenda.exe
2112	fontCrt.exe
3876	fontCrt.exe
4780	SearchApp.exe
4056	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

992 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
992	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz4095.exev0705JJ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4095.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0705JJ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0705JJ.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7133.exezap5296.execfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exezap9810.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7133.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap5296.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9810.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

Processes:

fontCrt.exefontCrt.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\38384e6a620884	fontCrt.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9	fontCrt.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe	fontCrt.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\f3b6ecef712a24	fontCrt.exe
File created	C:\Program Files\Common Files\Services\RuntimeBroker.exe	fontCrt.exe
File created	C:\Program Files\Common Files\Services\9e8d7a4ca61bd9	fontCrt.exe
File opened for modification	C:\Program Files\Windows Mail\SearchApp.exe	fontCrt.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	fontCrt.exe
File opened for modification	C:\Program Files\Common Files\Services\RuntimeBroker.exe	fontCrt.exe
File created	C:\Program Files\Windows Mail\SearchApp.exe	fontCrt.exe

Drops file in Windows directory 10 IoCs

Processes:

fontCrt.exefontCrt.exe

description	ioc	process
File created	C:\Windows\fr-FR\StartMenuExperienceHost.exe	fontCrt.exe
File created	C:\Windows\Offline Web Pages\RuntimeBroker.exe	fontCrt.exe
File created	C:\Windows\Offline Web Pages\9e8d7a4ca61bd9	fontCrt.exe
File created	C:\Windows\Setup\State\TrustedInstaller.exe	fontCrt.exe
File created	C:\Windows\bcastdvr\TrustedInstaller.exe	fontCrt.exe
File created	C:\Windows\Media\Raga\smss.exe	fontCrt.exe
File created	C:\Windows\Media\Raga\69ddcba757bf72	fontCrt.exe
File created	C:\Windows\fr-FR\55b276f4edf653	fontCrt.exe
File created	C:\Windows\Setup\State\04c1e7795967e4	fontCrt.exe
File created	C:\Windows\bcastdvr\04c1e7795967e4	fontCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3504 3528 WerFault.exe v0705JJ.exe
4424 1296 WerFault.exe w98XI28.exe

pid	pid_target	process	target process
3504	3528	WerFault.exe	v0705JJ.exe
4424	1296	WerFault.exe	w98XI28.exe

Creates scheduled task(s) 1 TTPs 52 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1292	schtasks.exe
3156	schtasks.exe
1316	schtasks.exe
4556	schtasks.exe
1192	schtasks.exe
432	schtasks.exe
2820	schtasks.exe
3548	schtasks.exe
840	schtasks.exe
2248	schtasks.exe
4792	schtasks.exe
1308	schtasks.exe
4356	schtasks.exe
316	schtasks.exe
2280	schtasks.exe
4932	schtasks.exe
3660	schtasks.exe
1168	schtasks.exe
4604	schtasks.exe
1344	schtasks.exe
4680	schtasks.exe
736	schtasks.exe
4948	schtasks.exe
2664	schtasks.exe
3568	schtasks.exe
3764	schtasks.exe
4984	schtasks.exe
2224	schtasks.exe
2292	schtasks.exe
2668	schtasks.exe
4976	schtasks.exe
1020	schtasks.exe
1628	schtasks.exe
1108	schtasks.exe
2328	schtasks.exe
944	schtasks.exe
1560	schtasks.exe
4916	schtasks.exe
3888	schtasks.exe
4332	schtasks.exe
4888	schtasks.exe
792	schtasks.exe
4424	schtasks.exe
1564	schtasks.exe
4400	schtasks.exe
3640	schtasks.exe
2880	schtasks.exe
4104	schtasks.exe
3360	schtasks.exe
960	schtasks.exe
1180	schtasks.exe
5116	schtasks.exe

Modifies registry class 3 IoCs

Processes:

DCRatBuild.exefontCrt.exefontCrt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	fontCrt.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	fontCrt.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

tz4095.exev0705JJ.exew98XI28.exexepmF88.exefontCrt.exefontCrt.exeSearchApp.exe

pid	process
1360	tz4095.exe
1360	tz4095.exe
3528	v0705JJ.exe
3528	v0705JJ.exe
1296	w98XI28.exe
1296	w98XI28.exe
5036	xepmF88.exe
5036	xepmF88.exe
2112	fontCrt.exe
2112	fontCrt.exe
2112	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
3876	fontCrt.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe
4780	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

tz4095.exev0705JJ.exew98XI28.exexepmF88.exefontCrt.exefontCrt.exeSearchApp.exe

description	pid	process
Token: SeDebugPrivilege	1360	tz4095.exe
Token: SeDebugPrivilege	3528	v0705JJ.exe
Token: SeDebugPrivilege	1296	w98XI28.exe
Token: SeDebugPrivilege	5036	xepmF88.exe
Token: SeDebugPrivilege	2112	fontCrt.exe
Token: SeDebugPrivilege	3876	fontCrt.exe
Token: SeDebugPrivilege	4780	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exezap9810.exezap7133.exezap5296.exey15ys15.exelegenda.execmd.exeDCRatBuild.exeWScript.execmd.exefontCrt.execmd.exe

description	pid	process	target process
PID 1568 wrote to memory of 3888	1568	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe	zap9810.exe
PID 1568 wrote to memory of 3888	1568	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe	zap9810.exe
PID 1568 wrote to memory of 3888	1568	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe	zap9810.exe
PID 3888 wrote to memory of 2292	3888	zap9810.exe	zap7133.exe
PID 3888 wrote to memory of 2292	3888	zap9810.exe	zap7133.exe
PID 3888 wrote to memory of 2292	3888	zap9810.exe	zap7133.exe
PID 2292 wrote to memory of 1632	2292	zap7133.exe	zap5296.exe
PID 2292 wrote to memory of 1632	2292	zap7133.exe	zap5296.exe
PID 2292 wrote to memory of 1632	2292	zap7133.exe	zap5296.exe
PID 1632 wrote to memory of 1360	1632	zap5296.exe	tz4095.exe
PID 1632 wrote to memory of 1360	1632	zap5296.exe	tz4095.exe
PID 1632 wrote to memory of 3528	1632	zap5296.exe	v0705JJ.exe
PID 1632 wrote to memory of 3528	1632	zap5296.exe	v0705JJ.exe
PID 1632 wrote to memory of 3528	1632	zap5296.exe	v0705JJ.exe
PID 2292 wrote to memory of 1296	2292	zap7133.exe	w98XI28.exe
PID 2292 wrote to memory of 1296	2292	zap7133.exe	w98XI28.exe
PID 2292 wrote to memory of 1296	2292	zap7133.exe	w98XI28.exe
PID 3888 wrote to memory of 5036	3888	zap9810.exe	xepmF88.exe
PID 3888 wrote to memory of 5036	3888	zap9810.exe	xepmF88.exe
PID 3888 wrote to memory of 5036	3888	zap9810.exe	xepmF88.exe
PID 1568 wrote to memory of 1208	1568	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe	y15ys15.exe
PID 1568 wrote to memory of 1208	1568	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe	y15ys15.exe
PID 1568 wrote to memory of 1208	1568	cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe	y15ys15.exe
PID 1208 wrote to memory of 4108	1208	y15ys15.exe	legenda.exe
PID 1208 wrote to memory of 4108	1208	y15ys15.exe	legenda.exe
PID 1208 wrote to memory of 4108	1208	y15ys15.exe	legenda.exe
PID 4108 wrote to memory of 1168	4108	legenda.exe	schtasks.exe
PID 4108 wrote to memory of 1168	4108	legenda.exe	schtasks.exe
PID 4108 wrote to memory of 1168	4108	legenda.exe	schtasks.exe
PID 4108 wrote to memory of 1284	4108	legenda.exe	cmd.exe
PID 4108 wrote to memory of 1284	4108	legenda.exe	cmd.exe
PID 4108 wrote to memory of 1284	4108	legenda.exe	cmd.exe
PID 1284 wrote to memory of 5004	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 5004	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 5004	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1860	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 1860	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 1860	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 2004	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 2004	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 2004	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 1696	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1696	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1696	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4384	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 4384	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 4384	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 3956	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 3956	1284	cmd.exe	cacls.exe
PID 1284 wrote to memory of 3956	1284	cmd.exe	cacls.exe
PID 4108 wrote to memory of 1756	4108	legenda.exe	DCRatBuild.exe
PID 4108 wrote to memory of 1756	4108	legenda.exe	DCRatBuild.exe
PID 4108 wrote to memory of 1756	4108	legenda.exe	DCRatBuild.exe
PID 1756 wrote to memory of 3416	1756	DCRatBuild.exe	WScript.exe
PID 1756 wrote to memory of 3416	1756	DCRatBuild.exe	WScript.exe
PID 1756 wrote to memory of 3416	1756	DCRatBuild.exe	WScript.exe
PID 3416 wrote to memory of 4692	3416	WScript.exe	cmd.exe
PID 3416 wrote to memory of 4692	3416	WScript.exe	cmd.exe
PID 3416 wrote to memory of 4692	3416	WScript.exe	cmd.exe
PID 4692 wrote to memory of 2112	4692	cmd.exe	fontCrt.exe
PID 4692 wrote to memory of 2112	4692	cmd.exe	fontCrt.exe
PID 2112 wrote to memory of 1760	2112	fontCrt.exe	cmd.exe
PID 2112 wrote to memory of 1760	2112	fontCrt.exe	cmd.exe
PID 1760 wrote to memory of 4272	1760	cmd.exe	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe
"C:\Users\Admin\AppData\Local\Temp\cfc40d54c1eb0409d9103d2c29d02b1e16161ee4b9f1ec9527a7fd2d03ebdeaf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9810.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9810.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7133.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7133.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5296.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5296.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4095.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4095.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0705JJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0705JJ.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1076
6⤵
- Program crash
PID:3504

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98XI28.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98XI28.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1336
5⤵
- Program crash
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xepmF88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xepmF88.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15ys15.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15ys15.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1860

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1696

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4384

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\Dv4vvNTlsubx.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\IiKt0EWKMiNQh.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe
"C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NsgguySYuj.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4272

C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe
"C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JjZrQ0bUjT.bat"
10⤵
PID:4652

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:1284

C:\Program Files\Windows Mail\SearchApp.exe
"C:\Program Files\Windows Mail\SearchApp.exe"
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3528 -ip 3528
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1296 -ip 1296
1⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Raga\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Raga\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Raga\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\Setup\State\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\bcastdvr\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\SearchApp.exe
Filesize
828KB

MD5
d1ddc9594f33bc5ab209df344552b01f

SHA1
2e701e56fcf783375443823c309a679e0cedf97a

SHA256
bffb1ca0e0e07e4e938920b861c4ee96633fbd934c6528ca3bcddff5009aa54e

SHA512
d4dbb8f47783b7173351d0b633019741f5467e74c1a2daeed2edcda7c26b6c5f89d81702ee52f20aca599cd5318f6c9bc2fccaf3d801593d146188e0f5ffbe79

Download Submit
C:\Program Files\Windows Mail\SearchApp.exe
Filesize
828KB

MD5
d1ddc9594f33bc5ab209df344552b01f

SHA1
2e701e56fcf783375443823c309a679e0cedf97a

SHA256
bffb1ca0e0e07e4e938920b861c4ee96633fbd934c6528ca3bcddff5009aa54e

SHA512
d4dbb8f47783b7173351d0b633019741f5467e74c1a2daeed2edcda7c26b6c5f89d81702ee52f20aca599cd5318f6c9bc2fccaf3d801593d146188e0f5ffbe79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontCrt.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe
Filesize
1.1MB

MD5
65d51781ab30cd3cf45cf872ab1393f2

SHA1
b535debd54056fe55231b9f040f62f0a2373278b

SHA256
7fe28f3a0c82bcbefc9a1459a90bb1ec75e719ea22ba247bac808e9411e03fd4

SHA512
354daab5682bff1890d4f240f39c1ba62edad06fc7d9cf474d02572eff6c9a6df91a2db9066b07046ddad276940c69661c9e1c61cbf11e1b6ad3a3e37a6dde20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe
Filesize
1.1MB

MD5
65d51781ab30cd3cf45cf872ab1393f2

SHA1
b535debd54056fe55231b9f040f62f0a2373278b

SHA256
7fe28f3a0c82bcbefc9a1459a90bb1ec75e719ea22ba247bac808e9411e03fd4

SHA512
354daab5682bff1890d4f240f39c1ba62edad06fc7d9cf474d02572eff6c9a6df91a2db9066b07046ddad276940c69661c9e1c61cbf11e1b6ad3a3e37a6dde20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000211001\DCRatBuild.exe
Filesize
1.1MB

MD5
65d51781ab30cd3cf45cf872ab1393f2

SHA1
b535debd54056fe55231b9f040f62f0a2373278b

SHA256
7fe28f3a0c82bcbefc9a1459a90bb1ec75e719ea22ba247bac808e9411e03fd4

SHA512
354daab5682bff1890d4f240f39c1ba62edad06fc7d9cf474d02572eff6c9a6df91a2db9066b07046ddad276940c69661c9e1c61cbf11e1b6ad3a3e37a6dde20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15ys15.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y15ys15.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9810.exe
Filesize
872KB

MD5
752bfdab11257a647ce3278b29abf4ef

SHA1
5d5e39f50c9135d42838760f2b1327905e0af3a6

SHA256
3e7e811113dc9865f920364a2044748fc5fc8b1ae1c4c02bac7ad149b9f0df49

SHA512
fb41c6122bd9e3cd77de5674da14c6e11ad96447c0cdec1c97db4883bc354d88fc7c2328851d3e7de7a18c7bbf150220f4f67db9b43ee2e9744163bd0bd1e777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9810.exe
Filesize
872KB

MD5
752bfdab11257a647ce3278b29abf4ef

SHA1
5d5e39f50c9135d42838760f2b1327905e0af3a6

SHA256
3e7e811113dc9865f920364a2044748fc5fc8b1ae1c4c02bac7ad149b9f0df49

SHA512
fb41c6122bd9e3cd77de5674da14c6e11ad96447c0cdec1c97db4883bc354d88fc7c2328851d3e7de7a18c7bbf150220f4f67db9b43ee2e9744163bd0bd1e777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xepmF88.exe
Filesize
175KB

MD5
8fbeb3f66cd7a70cb51621b51440967c

SHA1
fb8e914e6d63d0c33a12c686dcac21861180e751

SHA256
11969bd9bd2bc605c824965c19b4cdb268190d35b123d912d8d3e78b7f90f6a3

SHA512
f1597d3c8a6c989026ae8ae72597fca78854fdde977cf4c1abbb2726fe060525e002bc9780e3b333f6d305e9540af0865061957945c631af475aeb2a4dfcebcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xepmF88.exe
Filesize
175KB

MD5
8fbeb3f66cd7a70cb51621b51440967c

SHA1
fb8e914e6d63d0c33a12c686dcac21861180e751

SHA256
11969bd9bd2bc605c824965c19b4cdb268190d35b123d912d8d3e78b7f90f6a3

SHA512
f1597d3c8a6c989026ae8ae72597fca78854fdde977cf4c1abbb2726fe060525e002bc9780e3b333f6d305e9540af0865061957945c631af475aeb2a4dfcebcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7133.exe
Filesize
729KB

MD5
14ee1859e55b0124edd9ebb0ce2ccb92

SHA1
b1506c501296a0d14fd71f90ac72bd722585e386

SHA256
ce596dd7b1f71032389b1174b1f9795816a1fdd8ac043f5e305da5248342c577

SHA512
4dc050f26fb344f0cbd7441f20abf859f171ac4a10e2f10249d5beb2975111f382d099e40da21c06f7824c973f9116d813d406fe65010baf02e750dc0be9a642

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7133.exe
Filesize
729KB

MD5
14ee1859e55b0124edd9ebb0ce2ccb92

SHA1
b1506c501296a0d14fd71f90ac72bd722585e386

SHA256
ce596dd7b1f71032389b1174b1f9795816a1fdd8ac043f5e305da5248342c577

SHA512
4dc050f26fb344f0cbd7441f20abf859f171ac4a10e2f10249d5beb2975111f382d099e40da21c06f7824c973f9116d813d406fe65010baf02e750dc0be9a642

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98XI28.exe
Filesize
403KB

MD5
1ac3cf391920a1d2b60028bd48491854

SHA1
6ec468fdb21bcfc64fea4bfaad2f622cf81cc031

SHA256
5249675e5a155db734ab0fc2d69568e9d62100fe61bdf751e42ea62b7ed52222

SHA512
3b0802453ea511495424d6a8848b29b854b6d6614e22bf275c904873f4a4b36442fa939d4fb3528941eacc5b4a7e89eaf3cd8e825cacbf6b0a9b72cdc2fad47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w98XI28.exe
Filesize
403KB

MD5
1ac3cf391920a1d2b60028bd48491854

SHA1
6ec468fdb21bcfc64fea4bfaad2f622cf81cc031

SHA256
5249675e5a155db734ab0fc2d69568e9d62100fe61bdf751e42ea62b7ed52222

SHA512
3b0802453ea511495424d6a8848b29b854b6d6614e22bf275c904873f4a4b36442fa939d4fb3528941eacc5b4a7e89eaf3cd8e825cacbf6b0a9b72cdc2fad47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5296.exe
Filesize
362KB

MD5
5caa711712e67c38f36d18ee57d19793

SHA1
aa633b117463bae785d3ae73edd5dfa56a6e5e29

SHA256
b364f5bbe0af14b2f79ee4c01bf10ca06a62828b2c0af3c0b3587a39065f67b5

SHA512
12fbdbaabbbfcf87e1c0607e1306e167a6da676def27e23ab51f38401afa25f5679449bdfaf759057283115c8843ce6592d6fbda3bcc8a233239391ce2d3fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap5296.exe
Filesize
362KB

MD5
5caa711712e67c38f36d18ee57d19793

SHA1
aa633b117463bae785d3ae73edd5dfa56a6e5e29

SHA256
b364f5bbe0af14b2f79ee4c01bf10ca06a62828b2c0af3c0b3587a39065f67b5

SHA512
12fbdbaabbbfcf87e1c0607e1306e167a6da676def27e23ab51f38401afa25f5679449bdfaf759057283115c8843ce6592d6fbda3bcc8a233239391ce2d3fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4095.exe
Filesize
12KB

MD5
ece27ef344d7172b7d57b345116f18df

SHA1
a11ad3a3060b75d4079356e09a6db507cb500281

SHA256
379e59945375236daf4cd50d20df5a4ddeb5ad5ee478401622681252e9063229

SHA512
4e59c69b1a1bc8c619b73067e921552e823d6a4e468e54028db7cfecfda056453008469622f0c11db2c98bb0806d7693e830949ae2bd484ec0394d2d9c5ea2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4095.exe
Filesize
12KB

MD5
ece27ef344d7172b7d57b345116f18df

SHA1
a11ad3a3060b75d4079356e09a6db507cb500281

SHA256
379e59945375236daf4cd50d20df5a4ddeb5ad5ee478401622681252e9063229

SHA512
4e59c69b1a1bc8c619b73067e921552e823d6a4e468e54028db7cfecfda056453008469622f0c11db2c98bb0806d7693e830949ae2bd484ec0394d2d9c5ea2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0705JJ.exe
Filesize
345KB

MD5
3a8f961d8f90117460e5ec7e52937bb0

SHA1
d3a6b22500b6e6a18b8ef0899c8538a41c39047f

SHA256
17728975776fd090ebf531e49ee8accb90cf2105eec5b98cdc2fc3c449217178

SHA512
7e50fb637dc5333e4609fda505b7d5158900ccd87653af3a7946f7981bd27418085daa1a5480036ee4b5ada23e21a4d1fbf5a8e244bbee03fc582432a4a3bf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0705JJ.exe
Filesize
345KB

MD5
3a8f961d8f90117460e5ec7e52937bb0

SHA1
d3a6b22500b6e6a18b8ef0899c8538a41c39047f

SHA256
17728975776fd090ebf531e49ee8accb90cf2105eec5b98cdc2fc3c449217178

SHA512
7e50fb637dc5333e4609fda505b7d5158900ccd87653af3a7946f7981bd27418085daa1a5480036ee4b5ada23e21a4d1fbf5a8e244bbee03fc582432a4a3bf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\JjZrQ0bUjT.bat
Filesize
208B

MD5
796fffbd6348c9793356a859dc6c3665

SHA1
a00cd72c30bcbc6e1105b647d040d0c0dcb7d98f

SHA256
bf19ebd591480d693c8fee5dbbbea61bd8c45fd698687d1aa68887aeb6c11ab6

SHA512
933e0c840febe35edfe564a1b93ff19ffe9921c926e13778c7bf56d793618d177267fad85f5c159a024a521e95796eaaed6e8b2a5a8d284d4dc2e319c074fb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsgguySYuj.bat
Filesize
230B

MD5
e26fb812a7f36f290dd35dc9ac2bbf5e

SHA1
ab81a4a07bb52e6410761721af44579da70b8502

SHA256
5e74a925d203f63ba88a303c80766702818e958e46e8b2f3535500ad30d87345

SHA512
770c69015e7de629ac291da25780dc95cd3b342933f97e390c107fa222c35a74aff2e3c4028a95a6b65d6940aa5f56758e22d5e1fa6f3fa882c2da82cd9644ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
122e908f0b70cecbecbd69f54e350bbc

SHA1
e8a0e31875e5c859d1fd0d2dd88d9c694ba43465

SHA256
da19dc42a9ca15b3fd194cea81c89e5c911fe58dc27c6fad2e05d21aa9c6a581

SHA512
bbcc70046c8ab402e3468bbf5354bc254eb047c94c810c76647d01d0d90a3e18f35e8c23a09fdde04256a4400a39b167b41ef95be9dc0e10eca8a009ee1c2786

Download Submit
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\Dv4vvNTlsubx.vbe
Filesize
219B

MD5
c36f850a73a3f0424b00edc0ae0776c2

SHA1
5c961660e4a930afbc16ccb471908af6eadd5652

SHA256
978b1d10d11101a7666d2c775473c17d4874adf2fad97004540d6cf806943688

SHA512
05dba102326f4fb5006e35cc991e5c0445e4eeabc4a2c3dfbeb1b286a2a85d1b9db7361625b2babd7f8fd867364fe4bdf8f2f0e4b09ccae0b1783bce48219695

Download Submit
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\IiKt0EWKMiNQh.bat
Filesize
46B

MD5
0369a49f0cc3dd55b6a9c7f7b19d7133

SHA1
4e554554ddfe7f6e1b2e8ae9f32159d8d5db263f

SHA256
0958c0f7ac9925d1292aa6c5971c7b6e82b76a79909b4bd93b73fc6a2bb71042

SHA512
3857e68163d4d36f74fffbad873890ff8878cc1f70022b417246c877a93580330d5c0812cc8b22fc13005ed5e0d21e29620e26a2625a8f1f9ce7af686aa991eb

Download Submit
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe
Filesize
828KB

MD5
d1ddc9594f33bc5ab209df344552b01f

SHA1
2e701e56fcf783375443823c309a679e0cedf97a

SHA256
bffb1ca0e0e07e4e938920b861c4ee96633fbd934c6528ca3bcddff5009aa54e

SHA512
d4dbb8f47783b7173351d0b633019741f5467e74c1a2daeed2edcda7c26b6c5f89d81702ee52f20aca599cd5318f6c9bc2fccaf3d801593d146188e0f5ffbe79

Download Submit
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe
Filesize
828KB

MD5
d1ddc9594f33bc5ab209df344552b01f

SHA1
2e701e56fcf783375443823c309a679e0cedf97a

SHA256
bffb1ca0e0e07e4e938920b861c4ee96633fbd934c6528ca3bcddff5009aa54e

SHA512
d4dbb8f47783b7173351d0b633019741f5467e74c1a2daeed2edcda7c26b6c5f89d81702ee52f20aca599cd5318f6c9bc2fccaf3d801593d146188e0f5ffbe79

Download Submit
C:\Users\Admin\AppData\Roaming\PortAgentHostDllCommon\fontCrt.exe
Filesize
828KB

MD5
d1ddc9594f33bc5ab209df344552b01f

SHA1
2e701e56fcf783375443823c309a679e0cedf97a

SHA256
bffb1ca0e0e07e4e938920b861c4ee96633fbd934c6528ca3bcddff5009aa54e

SHA512
d4dbb8f47783b7173351d0b633019741f5467e74c1a2daeed2edcda7c26b6c5f89d81702ee52f20aca599cd5318f6c9bc2fccaf3d801593d146188e0f5ffbe79

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
C:\odt\wininit.exe
Filesize
828KB

MD5
d1ddc9594f33bc5ab209df344552b01f

SHA1
2e701e56fcf783375443823c309a679e0cedf97a

SHA256
bffb1ca0e0e07e4e938920b861c4ee96633fbd934c6528ca3bcddff5009aa54e

SHA512
d4dbb8f47783b7173351d0b633019741f5467e74c1a2daeed2edcda7c26b6c5f89d81702ee52f20aca599cd5318f6c9bc2fccaf3d801593d146188e0f5ffbe79

Download Submit
memory/1296-237-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-1135-0x00000000098A0000-0x00000000098F0000-memory.dmp

Filesize
320KB

Download
memory/1296-213-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-215-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-217-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-214-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-219-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-221-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-223-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-225-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-227-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-229-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-231-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-233-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-235-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-212-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-239-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-241-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-243-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-245-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-247-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

Filesize
252KB

Download
memory/1296-1120-0x00000000079E0000-0x0000000007FF8000-memory.dmp

Filesize
6.1MB

Download
memory/1296-1121-0x0000000008000000-0x000000000810A000-memory.dmp

Filesize
1.0MB

Download
memory/1296-1122-0x00000000073D0000-0x00000000073E2000-memory.dmp

Filesize
72KB

Download
memory/1296-1123-0x0000000008110000-0x000000000814C000-memory.dmp

Filesize
240KB

Download
memory/1296-1124-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-1126-0x00000000083D0000-0x0000000008462000-memory.dmp

Filesize
584KB

Download
memory/1296-1127-0x0000000008470000-0x00000000084D6000-memory.dmp

Filesize
408KB

Download
memory/1296-1128-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-1129-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-1130-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-1131-0x0000000008DD0000-0x0000000008F92000-memory.dmp

Filesize
1.8MB

Download
memory/1296-1132-0x0000000008FB0000-0x00000000094DC000-memory.dmp

Filesize
5.2MB

Download
memory/1296-1133-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-1134-0x0000000009800000-0x0000000009876000-memory.dmp

Filesize
472KB

Download
memory/1296-211-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/1296-210-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/1360-161-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2112-1185-0x0000000000DE0000-0x0000000000EB6000-memory.dmp

Filesize
856KB

Download
memory/2112-1188-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/3528-198-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3528-199-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3528-167-0x0000000002B90000-0x0000000002BBD000-memory.dmp

Filesize
180KB

Download
memory/3528-200-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3528-184-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-205-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3528-197-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3528-196-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-194-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-192-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-190-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-182-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-186-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-204-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3528-202-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3528-203-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3528-188-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-180-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-178-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-168-0x0000000007350000-0x00000000078F4000-memory.dmp

Filesize
5.6MB

Download
memory/3528-174-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-176-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-172-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-169-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3528-170-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/3876-1215-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4780-1238-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/5036-1142-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/5036-1141-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download