diamondfox | 2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10v20210410
submitted
07/06/2021, 06:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33815ECF51B4A2F18811FBA9ED999D36.exe
Size

2.5MB
MD5

33815ecf51b4a2f18811fba9ed999d36
SHA1

709cde4326af52f644cf00d260af65bdd0cbf5e1
SHA256

2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301
SHA512

d3e1669d4e60d180a9bcd6b87f2c376be69bb7bebf6a73f0503ab65e4770354b71adcfc0688444ccf9a4d57fff32542f29bbcf12bc9686f347fa8ae8eaac82f5

Score

10^/10

diamondfox redline taurus 002 botnet discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

002

piporopopo.com:54367

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4832-185-0x0000000002540000-0x0000000002559000-memory.dmp	family_redline
behavioral2/memory/4832-187-0x00000000025C0000-0x00000000025D7000-memory.dmp	family_redline

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2004-182-0x0000000000400000-0x0000000000646000-memory.dmp	family_taurus_stealer

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/memory/4424-169-0x0000000000400000-0x0000000000641000-memory.dmp	diamondfox
behavioral2/memory/5112-210-0x0000000000400000-0x0000000000641000-memory.dmp	diamondfox

Executes dropped EXE 16 IoCs

pid	Process
2716	der.dll
4204	curl.dll
4480	autorun.dll
4604	autorun.exe
4688	sistemes.dll
4916	MicrosoftEdgeCP.exe
4952	laun.dll
5112	MicrosoftEdgeCPS.exe
2716	der.dll
4424	der.exe
4452	Tausuus.dll
2004	Tausuus.exe
4520	red.dll
4832	red.exe
5112	MicrosoftEdgeCPS.exe
2224	getmac.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	33815ECF51B4A2F18811FBA9ED999D36.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe"	Explorer.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4848	4604	WerFault.exe	86

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5040	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4224	timeout.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2e91ed57685bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 96669a42685bd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{EDD157A1-7737-4C1C-9656-883B2EFDECD6}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "329210194"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000009ed95b7be809bb801065524aab8f1d33c65bf8ef7c13e33b4d9821d8db051a2d27c90474535bf844c210723b2bcd98a6bf808c0a26706039f11562e834f3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "{B09AE6DA-5828-460B-89EB-63A8E6D4C3EA}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{B2421D35-C052-4091-9756-FABB9A05D286} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2d3bf042685bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = d4e45c49685bd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "329862340"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = c041dca79a5bd701	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
4848	WerFault.exe
5112	MicrosoftEdgeCPS.exe
5112	MicrosoftEdgeCPS.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
4832	red.exe
4832	red.exe
4832	red.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4116	MicrosoftEdgeCP.exe
4116	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	MicrosoftEdge.exe
Token: SeDebugPrivilege	2208	MicrosoftEdge.exe
Token: SeDebugPrivilege	2208	MicrosoftEdge.exe
Token: SeDebugPrivilege	2208	MicrosoftEdge.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeRestorePrivilege	4848	WerFault.exe
Token: SeBackupPrivilege	4848	WerFault.exe
Token: SeDebugPrivilege	4848	WerFault.exe
Token: SeDebugPrivilege	5112	MicrosoftEdgeCPS.exe
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeDebugPrivilege	4916	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4916	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	4832	red.exe
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2208	MicrosoftEdge.exe
4116	MicrosoftEdgeCP.exe
4116	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2824	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 2716	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3892 wrote to memory of 2716	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3892 wrote to memory of 2716	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3892 wrote to memory of 4204	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	84
PID 3892 wrote to memory of 4204	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	84
PID 3892 wrote to memory of 4204	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	84
PID 3892 wrote to memory of 4480	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	85
PID 3892 wrote to memory of 4480	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	85
PID 3892 wrote to memory of 4480	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	85
PID 4480 wrote to memory of 4604	4480	autorun.dll	86
PID 4480 wrote to memory of 4604	4480	autorun.dll	86
PID 4480 wrote to memory of 4604	4480	autorun.dll	86
PID 3892 wrote to memory of 4688	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	88
PID 3892 wrote to memory of 4688	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	88
PID 3892 wrote to memory of 4688	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	88
PID 4688 wrote to memory of 4916	4688	sistemes.dll	103
PID 4688 wrote to memory of 4916	4688	sistemes.dll	103
PID 4688 wrote to memory of 4916	4688	sistemes.dll	103
PID 3892 wrote to memory of 4952	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	93
PID 3892 wrote to memory of 4952	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	93
PID 3892 wrote to memory of 4952	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	93
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4916 wrote to memory of 5040	4916	MicrosoftEdgeCP.exe	94
PID 4916 wrote to memory of 5040	4916	MicrosoftEdgeCP.exe	94
PID 4916 wrote to memory of 5040	4916	MicrosoftEdgeCP.exe	94
PID 4952 wrote to memory of 5112	4952	laun.dll	104
PID 4952 wrote to memory of 5112	4952	laun.dll	104
PID 4952 wrote to memory of 5112	4952	laun.dll	104
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 3892 wrote to memory of 2716	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3892 wrote to memory of 2716	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3892 wrote to memory of 2716	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 5112 wrote to memory of 2824	5112	MicrosoftEdgeCPS.exe	7
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 2716 wrote to memory of 4424	2716	der.dll	98
PID 2716 wrote to memory of 4424	2716	der.dll	98
PID 2716 wrote to memory of 4424	2716	der.dll	98
PID 3892 wrote to memory of 4452	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	99
PID 3892 wrote to memory of 4452	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	99
PID 3892 wrote to memory of 4452	3892	33815ECF51B4A2F18811FBA9ED999D36.exe	99
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4116 wrote to memory of 4184	4116	MicrosoftEdgeCP.exe	83
PID 4452 wrote to memory of 2004	4452	Tausuus.dll	100
PID 4452 wrote to memory of 2004	4452	Tausuus.dll	100
PID 4452 wrote to memory of 2004	4452	Tausuus.dll	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2824
- C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe
  "C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Roaming\Control.dll
    "C:\Users\Admin\AppData\Roaming\Control.dll" -s -psfgvedfsbetdfhgbefsdtgretgdhdgersfhbetfsgrsfhasgsdg
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Roaming\curl.dll
    "C:\Users\Admin\AppData\Roaming\curl.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    PID:4204
- - C:\Users\Admin\AppData\Roaming\autorun.dll
    "C:\Users\Admin\AppData\Roaming\autorun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Roaming\autorun.exe
      "C:\Users\Admin\AppData\Roaming\autorun.exe"
      4⤵
      Executes dropped EXE
      PID:4604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 888
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
- - C:\Users\Admin\AppData\Roaming\sistemes.dll
    "C:\Users\Admin\AppData\Roaming\sistemes.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Roaming\sistemes.exe
      "C:\Users\Admin\AppData\Roaming\sistemes.exe"
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn Windows\MicrosoftVisualStudio /tr "C:\ProgramData\Microsoft Visual Studio\getmac.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:5040
- - C:\Users\Admin\AppData\Roaming\laun.dll
    "C:\Users\Admin\AppData\Roaming\laun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Roaming\laun.exe
      "C:\Users\Admin\AppData\Roaming\laun.exe"
      4⤵
      PID:5112
- - C:\Users\Admin\AppData\Roaming\der.dll
    "C:\Users\Admin\AppData\Roaming\der.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\der.exe
      "C:\Users\Admin\AppData\Roaming\der.exe"
      4⤵
      Executes dropped EXE
      PID:4424
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
- - C:\Users\Admin\AppData\Roaming\Tausuus.dll
    "C:\Users\Admin\AppData\Roaming\Tausuus.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Users\Admin\AppData\Roaming\Tausuus.exe
      "C:\Users\Admin\AppData\Roaming\Tausuus.exe"
      4⤵
      Executes dropped EXE
      PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\Tausuus.exe
        5⤵
        
        PID:4428
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4224
- - C:\Users\Admin\AppData\Roaming\red.dll
    "C:\Users\Admin\AppData\Roaming\red.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    PID:4520
  - - C:\Users\Admin\AppData\Roaming\red.exe
      "C:\Users\Admin\AppData\Roaming\red.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4836

C:\ProgramData\Microsoft Visual Studio\getmac.exe
"C:\ProgramData\Microsoft Visual Studio\getmac.exe"
1⤵
- Executes dropped EXE
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-207-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/412-205-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/412-212-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/412-249-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/412-211-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/412-239-0x0000000009700000-0x0000000009701000-memory.dmp

Filesize
4KB

Download
memory/412-209-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/412-215-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/412-238-0x000000007E770000-0x000000007E771000-memory.dmp

Filesize
4KB

Download
memory/412-206-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/412-213-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/412-214-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/412-237-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/412-217-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/412-225-0x0000000009180000-0x00000000091B3000-memory.dmp

Filesize
204KB

Download
memory/412-232-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/2004-182-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/2004-180-0x0000000000100000-0x00000000001AE000-memory.dmp

Filesize
696KB

Download
memory/2224-255-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2824-159-0x0000000000EF0000-0x0000000000F05000-memory.dmp

Filesize
84KB

Download
memory/4424-169-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/4604-143-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/4604-140-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/4832-191-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4832-183-0x0000000000100000-0x00000000001AE000-memory.dmp

Filesize
696KB

Download
memory/4832-192-0x0000000004B62000-0x0000000004B63000-memory.dmp

Filesize
4KB

Download
memory/4832-196-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4832-193-0x0000000004B63000-0x0000000004B64000-memory.dmp

Filesize
4KB

Download
memory/4832-195-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4832-190-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4832-189-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4832-188-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4832-187-0x00000000025C0000-0x00000000025D7000-memory.dmp

Filesize
92KB

Download
memory/4832-186-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4832-185-0x0000000002540000-0x0000000002559000-memory.dmp

Filesize
100KB

Download
memory/4832-184-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4832-194-0x0000000004B64000-0x0000000004B66000-memory.dmp

Filesize
8KB

Download
memory/4832-240-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/4916-146-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5112-210-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/5112-158-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/5112-157-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download