diamondfox | 2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301

Analysis

max time kernel
150s
max time network
160s
platform
windows10_x64
resource
win10v20210410
submitted
07-06-2021 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33815ECF51B4A2F18811FBA9ED999D36.exe
Size

2.5MB
MD5

33815ecf51b4a2f18811fba9ed999d36
SHA1

709cde4326af52f644cf00d260af65bdd0cbf5e1
SHA256

2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301
SHA512

d3e1669d4e60d180a9bcd6b87f2c376be69bb7bebf6a73f0503ab65e4770354b71adcfc0688444ccf9a4d57fff32542f29bbcf12bc9686f347fa8ae8eaac82f5

Score

10^/10

diamondfox redline taurus 002 botnet discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

002

piporopopo.com:54367

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2224-187-0x0000000000530000-0x0000000000549000-memory.dmp	family_redline
behavioral2/memory/2224-189-0x00000000023B0000-0x00000000023C7000-memory.dmp	family_redline

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4404-180-0x0000000000400000-0x0000000000646000-memory.dmp	family_taurus_stealer

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral2/memory/4252-170-0x0000000000400000-0x0000000000641000-memory.dmp	diamondfox
behavioral2/memory/4976-213-0x0000000000400000-0x0000000000641000-memory.dmp	diamondfox

Executes dropped EXE 16 IoCs

pid	Process
3752	Control.dll
2676	curl.dll
4360	autorun.dll
4508	autorun.exe
4592	sistemes.dll
4796	sistemes.exe
4828	laun.dll
4988	laun.exe
5016	der.dll
4252	der.exe
4280	Tausuus.dll
4404	Tausuus.exe
2588	red.dll
2224	red.exe
4976	MicrosoftEdgeCPS.exe
4280	getmac.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	33815ECF51B4A2F18811FBA9ED999D36.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe"	Explorer.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4728	4508	WerFault.exe	86

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4896	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4616	timeout.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = d7d5614f5f5bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8c43d8465f5bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 10efd55d5f5bd701	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4728	WerFault.exe
4988	laun.exe
4988	laun.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
2224	red.exe
2224	red.exe
2224	red.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4076	MicrosoftEdgeCP.exe
4076	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	MicrosoftEdge.exe
Token: SeDebugPrivilege	3868	MicrosoftEdge.exe
Token: SeDebugPrivilege	3868	MicrosoftEdge.exe
Token: SeDebugPrivilege	3868	MicrosoftEdge.exe
Token: SeDebugPrivilege	4148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4148	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4148	MicrosoftEdgeCP.exe
Token: SeRestorePrivilege	4728	WerFault.exe
Token: SeBackupPrivilege	4728	WerFault.exe
Token: SeDebugPrivilege	4728	WerFault.exe
Token: SeDebugPrivilege	4988	laun.exe
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeDebugPrivilege	4736	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4736	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	2224	red.exe
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3868	MicrosoftEdge.exe
4076	MicrosoftEdgeCP.exe
4076	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2824	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 3752	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	81
PID 3876 wrote to memory of 3752	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	81
PID 3876 wrote to memory of 3752	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	81
PID 3876 wrote to memory of 2676	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	83
PID 3876 wrote to memory of 2676	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	83
PID 3876 wrote to memory of 2676	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	83
PID 3876 wrote to memory of 4360	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	85
PID 3876 wrote to memory of 4360	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	85
PID 3876 wrote to memory of 4360	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	85
PID 4360 wrote to memory of 4508	4360	autorun.dll	86
PID 4360 wrote to memory of 4508	4360	autorun.dll	86
PID 4360 wrote to memory of 4508	4360	autorun.dll	86
PID 3876 wrote to memory of 4592	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	88
PID 3876 wrote to memory of 4592	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	88
PID 3876 wrote to memory of 4592	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	88
PID 4592 wrote to memory of 4796	4592	sistemes.dll	92
PID 4592 wrote to memory of 4796	4592	sistemes.dll	92
PID 4592 wrote to memory of 4796	4592	sistemes.dll	92
PID 3876 wrote to memory of 4828	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	93
PID 3876 wrote to memory of 4828	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	93
PID 3876 wrote to memory of 4828	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	93
PID 4796 wrote to memory of 4896	4796	sistemes.exe	94
PID 4796 wrote to memory of 4896	4796	sistemes.exe	94
PID 4796 wrote to memory of 4896	4796	sistemes.exe	94
PID 4828 wrote to memory of 4988	4828	laun.dll	96
PID 4828 wrote to memory of 4988	4828	laun.dll	96
PID 4828 wrote to memory of 4988	4828	laun.dll	96
PID 3876 wrote to memory of 5016	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3876 wrote to memory of 5016	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 3876 wrote to memory of 5016	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	97
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4988 wrote to memory of 2824	4988	laun.exe	1
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 5016 wrote to memory of 4252	5016	der.dll	98
PID 5016 wrote to memory of 4252	5016	der.dll	98
PID 5016 wrote to memory of 4252	5016	der.dll	98
PID 3876 wrote to memory of 4280	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	99
PID 3876 wrote to memory of 4280	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	99
PID 3876 wrote to memory of 4280	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	99
PID 4280 wrote to memory of 4404	4280	Tausuus.dll	100
PID 4280 wrote to memory of 4404	4280	Tausuus.dll	100
PID 4280 wrote to memory of 4404	4280	Tausuus.dll	100
PID 3876 wrote to memory of 2588	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	101
PID 3876 wrote to memory of 2588	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	101
PID 3876 wrote to memory of 2588	3876	33815ECF51B4A2F18811FBA9ED999D36.exe	101
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84
PID 4076 wrote to memory of 4148	4076	MicrosoftEdgeCP.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2824
- C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe
  "C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Roaming\Control.dll
    "C:\Users\Admin\AppData\Roaming\Control.dll" -s -psfgvedfsbetdfhgbefsdtgretgdhdgersfhbetfsgrsfhasgsdg
    3⤵
    - Executes dropped EXE
    PID:3752
- - C:\Users\Admin\AppData\Roaming\curl.dll
    "C:\Users\Admin\AppData\Roaming\curl.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Users\Admin\AppData\Roaming\autorun.dll
    "C:\Users\Admin\AppData\Roaming\autorun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Admin\AppData\Roaming\autorun.exe
      "C:\Users\Admin\AppData\Roaming\autorun.exe"
      4⤵
      Executes dropped EXE
      PID:4508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 888
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
- - C:\Users\Admin\AppData\Roaming\sistemes.dll
    "C:\Users\Admin\AppData\Roaming\sistemes.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Users\Admin\AppData\Roaming\sistemes.exe
      "C:\Users\Admin\AppData\Roaming\sistemes.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn Windows\MicrosoftVisualStudio /tr "C:\ProgramData\Microsoft Visual Studio\getmac.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:4896
- - C:\Users\Admin\AppData\Roaming\laun.dll
    "C:\Users\Admin\AppData\Roaming\laun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Roaming\laun.exe
      "C:\Users\Admin\AppData\Roaming\laun.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4988
- - C:\Users\Admin\AppData\Roaming\der.dll
    "C:\Users\Admin\AppData\Roaming\der.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Users\Admin\AppData\Roaming\der.exe
      "C:\Users\Admin\AppData\Roaming\der.exe"
      4⤵
      Executes dropped EXE
      PID:4252
    - - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
        
        "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
        5⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
- - C:\Users\Admin\AppData\Roaming\Tausuus.dll
    "C:\Users\Admin\AppData\Roaming\Tausuus.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Roaming\Tausuus.exe
      "C:\Users\Admin\AppData\Roaming\Tausuus.exe"
      4⤵
      Executes dropped EXE
      PID:4404
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\Tausuus.exe
        5⤵
        
        PID:4756
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4616
- - C:\Users\Admin\AppData\Roaming\red.dll
    "C:\Users\Admin\AppData\Roaming\red.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
    3⤵
    - Executes dropped EXE
    PID:2588
  - - C:\Users\Admin\AppData\Roaming\red.exe
      "C:\Users\Admin\AppData\Roaming\red.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5016

C:\ProgramData\Microsoft Visual Studio\getmac.exe
"C:\ProgramData\Microsoft Visual Studio\getmac.exe"
1⤵
- Executes dropped EXE
PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-189-0x00000000023B0000-0x00000000023C7000-memory.dmp

Filesize
92KB

Download
memory/2224-195-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/2224-193-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/2224-194-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/2224-190-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/2224-192-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2224-221-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/2224-242-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/2224-188-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2224-191-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2224-196-0x0000000004BB4000-0x0000000004BB6000-memory.dmp

Filesize
8KB

Download
memory/2224-185-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2224-197-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2224-241-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/2224-187-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/2224-186-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2824-160-0x0000000000EE0000-0x0000000000EF5000-memory.dmp

Filesize
84KB

Download
memory/4252-170-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/4280-256-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4404-179-0x0000000000100000-0x00000000001AE000-memory.dmp

Filesize
696KB

Download
memory/4404-180-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4508-136-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4508-137-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/4796-148-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4796-147-0x0000000000140000-0x00000000001EE000-memory.dmp

Filesize
696KB

Download
memory/4948-245-0x000000007E770000-0x000000007E771000-memory.dmp

Filesize
4KB

Download
memory/4948-227-0x0000000009370000-0x00000000093A3000-memory.dmp

Filesize
204KB

Download
memory/4948-210-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/4948-211-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/4948-206-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/4948-207-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/4948-214-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4948-215-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/4948-216-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/4948-218-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/4948-208-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/4948-209-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/4948-234-0x0000000009150000-0x0000000009151000-memory.dmp

Filesize
4KB

Download
memory/4948-239-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/4948-240-0x00000000096B0000-0x00000000096B1000-memory.dmp

Filesize
4KB

Download
memory/4948-247-0x0000000004B13000-0x0000000004B14000-memory.dmp

Filesize
4KB

Download
memory/4976-213-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/4976-212-0x0000000000100000-0x00000000001AE000-memory.dmp

Filesize
696KB

Download
memory/4988-158-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/4988-159-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download