hxxp://google[.]com

Analysis

max time kernel
598s
max time network
584s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp
4452	audioconverter32.exe

Loads dropped DLL 3 IoCs

pid	Process
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
772	msedge.exe
772	msedge.exe
4984	identity_helper.exe
4984	identity_helper.exe
3876	msedge.exe
3876	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp
4452	audioconverter32.exe
4452	audioconverter32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
4732	You-Are-An-Idiot-Vir_eejUzc4HeL.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1568	772	msedge.exe	80
PID 772 wrote to memory of 1568	772	msedge.exe	80
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1548	772	msedge.exe	81
PID 772 wrote to memory of 1676	772	msedge.exe	82
PID 772 wrote to memory of 1676	772	msedge.exe	82
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83
PID 772 wrote to memory of 4188	772	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb614e46f8,0x7ffb614e4708,0x7ffb614e4718
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13050072077181112838,11547153349919600840,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6616 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Temp1_You-Are-An-Idiot-Vir_eejUzc4HeL.zip\You-Are-An-Idiot-Vir_eejUzc4HeL.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_You-Are-An-Idiot-Vir_eejUzc4HeL.zip\You-Are-An-Idiot-Vir_eejUzc4HeL.exe"
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\is-U08N0.tmp\You-Are-An-Idiot-Vir_eejUzc4HeL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U08N0.tmp\You-Are-An-Idiot-Vir_eejUzc4HeL.tmp" /SL5="$140042,6132253,56832,C:\Users\Admin\AppData\Local\Temp\Temp1_You-Are-An-Idiot-Vir_eejUzc4HeL.zip\You-Are-An-Idiot-Vir_eejUzc4HeL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4732
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Audio_Converter_583"
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Freemake Audio Converter\audioconverter32.exe
    "C:\Users\Admin\AppData\Local\Freemake Audio Converter\audioconverter32.exe" ddb078644de721dfdcbf94210a2b81f4
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Freemake Audio Converter\audioconverter32.exe

Filesize
4.0MB

MD5
ed8cf4561da45a6d030daae00a3a1457

SHA1
8c955ac2d8f13a1c825a4339e717c9cd8d649935

SHA256
df1a43b48c563eadf9b52651f82e2cce7eb3b69146897cdb4914d8e9040361e4

SHA512
acc90d5ffd8b572ca9e3be12d304923f8f4c43f8b3eb9caaf663d1e05bdf874585e6f0d8694a23828d4670cd06e89b4a01da4f9e8c7cf0eaebc30caf6efdd208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
91b6f107227ae832e794981d1627c039

SHA1
026dfc17c7d197d30ec921931922ecb133cd95a2

SHA256
90cad1d86ecb90a8b5d9f8aae650982ef75604886edf45b3ff2ba8bcc7970b67

SHA512
6e4dc6a2dea9dda6f3f4173d9c57dd9c53877d91e212572c8bddb1d80a2b55847f304539278096b719435e5e86aafc51d6b7c1c7442267d306eecea75e4a93f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
4422e67b97106796a9c25de03e5fa270

SHA1
1f0341d084e0867e9345f06af4931a99bc7a091e

SHA256
da78943299a66376f5a3fc0515545ba8a3eceefc378ef62ad98489298ca8627f

SHA512
aad78fbcfa221930db867c427c76293c5508f55d08d549f72bebd04089c01bc1fdf5015edb4a5468eed67cc90027b4f7d07563eb996a0fa743901971481a65b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fa099196bad1bc42a3ef417052ec8d4b

SHA1
d41c7f3a2090fd14010bc7032a84c2ce4c4364a4

SHA256
7f2cd2c04a8ecd2c7e7395b56f46d529c56d657486de7900822d786514db0ded

SHA512
a9ce59aec4401e7a6dc467121a3cf9425edaa3c586f687f644ea6d366ed9a9b1fce8f1f9023a32c47da446aca9ab985105f21192f5b7dc71bffcd7bc8036c926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46de8c2b0b1813cd50612878cc7e0a3e

SHA1
d331b3eca4becdd14fa1ed7d68d9e07a3c14ac65

SHA256
78cc02a16bbcfae5304074b92a1e992820b375c6c9c20bb181dcdaebc7609457

SHA512
1500b5ddf23fd1385281b37313e7e7a116bb46fe87337bc8c93ab15f8217cce4cc02928829ec2d01a724ca930af8673d696633ca7eabe73549d0d8236b5d2f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
43f90836b0dd6176ba5f167ab8a39e8e

SHA1
6459390cea2df31fdf2f65be5b796ebb58ffa919

SHA256
644dcf2d5837d6031c63c0ca59ea3457b9a488be77a2b9c0a0896e35249102de

SHA512
98928ea9c6993f2dab268fc60c63f8bf5b524c453abbf3005d8a0abd08ea246487f2a336d0d50a70a8f79eaf27a752e6ee9b3b8f9a1fc38ae91f6cb877eccac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8903586a397d7c327dabc4678c3b8f9e

SHA1
d19ffeacd06005f1e5bd0cdb3b148029ccb561e4

SHA256
f1652276d9a7dff0a87fb225dc15cc3fde2af2325875bfdb463255fc53e0ac1f

SHA512
032058b32343e338c83149aa420c36c168afd60f3b6ae729b9d9b5d74cde5e40c0f8b5c33dfb07ff8bbf0aa1dd1648308d87ccf190bf8423fc84c440b215a222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e4490458da3ff31bb0ec84a0055303f

SHA1
e1d1cc65bd33ceae22208e1de24f3c22849575d5

SHA256
ebcbcfec88fbb28635835901ba13bb6c00f1ff9631da5c1603240cd275d0b63c

SHA512
6d8b34fd1fa3dbde00f8ebbefd0f4a93a2b68de6373e2125559b6ee7ac3b2afdf8a816ad420bc776dae06ee034b685d6905533c4e8c36968d94a5ac493dee87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5656fac9e01d8e24b0b343ee81641895

SHA1
06b6d7ba87d06a39cfce350c4d3a8612d5f75330

SHA256
fff45129943eadc66938fc60665b37d3cbd1239595c35855862b933c6fd4eade

SHA512
6112e40e68b50634bb87ae859a9f2bc0dd5d1e8377f3085c55ba485178bfd17eb29ef460268e8271baa62bbc3bbf5fd1c724488ac12ec2afb2cbbaaa7ec8ef62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0cf3c5599e6adf582dc264f5396e45b8

SHA1
e568286da2631aa06209a1a2f21444cf25f3269f

SHA256
0d0403e384607d4354a048c8a679809039b262ce6bf9163baba551eb9e7ece08

SHA512
c29fb86e0c0765a4ad415a376ee806b9eeea34541e77524d639417e9fef70a0e1b4ea5c9b25d0f949c5c26a855a717e02a03e7f79f3cf90f63bbd56ffe7d2c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
053be2e940c79a01f23316af229affbe

SHA1
9969af955f5f35be77d5e0dc4560d8927a2ff492

SHA256
3c89d1c33e4955c502844ff1e8ae62c8eff9fa1f877813859f64f1b3061dec90

SHA512
ea732e177db0cb073153e586c5242c116685fbcf5bc35eb5ceb407d0c0998654589711a1acb8706ee211b489c2c0137fb47fd1d8fe4cf61de2ee105e623c82d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
397d894639a6b81f3de0994307a5d103

SHA1
24b194def50a54f0fa46d9791de6ae1f00946cd0

SHA256
cc44d57f37eba53b6a9dd0fb928b3359ea79072f9cb2f453e3a9f98c158db19f

SHA512
0b897dd072e146df3e6f2677136f1329d79d89576af87641063f06e886001d78c190f1da8e49f9e7ae27b2c657e8483ef293fc18ad4200418cd744fee146ac94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
823a5c9d051b0da78bf61a051d0ee339

SHA1
8f974f5dbb60172bd68515bdb5cdc2603a9b00f1

SHA256
50ca46e10509a8d8754618bc021923040c2eccf765443007a739a739c05bead4

SHA512
b2422916ce30e3df6097af43dd73aa6f88d5e36ae954bb1695596caa5e92c6573c29b075bc48d81d657e0f344b295751f7d681500c20e7c60b49805df4839549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
170eef4c39282856ad57f12bceb28004

SHA1
5b77db5739fd02b9f91d884ab92b867eb6ee474a

SHA256
e5354235f347db8d5dedceb8c7f0b25b46e1050424cb7d63b0b40c8c8c2f073b

SHA512
60da627a50226cdb53996cf1c3e4f8296c134facbb80d317e3a773aca941248044ef26c7673c716944583b11cf0e407c3b09e8c25d48b4bc57c6bc925a63073b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b03dcbe965bd0f85c16c7c78556f9306

SHA1
c65609c3f8627c1c6ef27e4d60820092e539dd61

SHA256
9326dc185117813dfd6faeb2f5ac29a69a02c08a4c5ba2c08ed7aad287302cbf

SHA512
c359bd4039e99284a252b0e5b0f08b504b7afe746439bf5306d81083ecc08715fb64f60cd2997b5de2e6b07336f8e91976b10b5d2254a0d86e37365512984ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
473d8989e315453bac125e936b17e322

SHA1
8502d129cd428edb85ce9a8558e866ad863c1cc4

SHA256
13b03e3c8da83ee56e485d9bab0e05b131053a44c2c383121d78276650ed7926

SHA512
3e75777b0fc711fed563058ffe09c12d34ae13eec17326a4091a153071d53294343b851c0e8e3aca6f44da0cff5b695b62e08b282989d5981bd5d4fe6b1ca49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
6a88b57a9e9701e52134efd3419e1bbe

SHA1
755d6c639b17825909ebf83dcc582a8c70eb061b

SHA256
6739c681bc63bb8474e764b81e4af1f40510c1e75da663eb048b3b89a2f2de3f

SHA512
3b19dfc83c7cacc1459039cbfe31c85641f12232180a5ae102a0f5bc6e54f3cc8de384515b022919eb8e2ed4efd322882c16c8fe2576c5c092fb0bd573a93bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e9f2.TMP

Filesize
200B

MD5
5c8e66c469fd4257101e50cec51dce54

SHA1
5f971d3bb40e1d939883cfb5b6cccf6e15b0f04c

SHA256
619b0b3b02013014e095264d7fe632e186ea0edfa5bb0f29f0b500f28f596027

SHA512
625813e1f035bbaa3e1b1063978c8e75ae41e1a9e7e5e073be2d0d4efed19ffcb3e99e436c46285b758ae3ae09577cc9008a292296e6a951010d0a6195e25643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0924ad9f1ecf25578540c43452a222f1

SHA1
44fdacf1595070bc302b757964f1a3f91523c2e5

SHA256
22b4b32c63a123d42ead2d9e9b1a764bb59a4e2af789bfaf0e74116ce1fa92ff

SHA512
6f32ee89e853ea8fd0956233b8f0ca70da668e73eaa7e6a65cee48a8ed41131b88bfc5b10486ec7b122dda3d6d448b498aacb314ff2088b26ba362eb26d23a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c58278bc89905562efc06e4da21468da

SHA1
a0802a318f918f495f02afd8e1b465789cc9a51d

SHA256
10497efc3aeba60159bd637cb5ed2d110760e4e131ca94bda7c90140d2c17c85

SHA512
bf3e62c86283b6b5163f9b96325b8dfe2ded7debb77c23391b86aa3b433196502ac908cbac3817bcd1096ca6842cbd9aa84e0744768cabed180ba3b6fb0ce96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AN527.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AN527.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U08N0.tmp\You-Are-An-Idiot-Vir_eejUzc4HeL.tmp

Filesize
692KB

MD5
3c7589a615c450e30598ee5e8c34497e

SHA1
d29e9529cefad747f2ad41bac196fa44c1168236

SHA256
c37d59ce5c1258669006f50060c7243204f3a879b5d20c248eacf1c096e832aa

SHA512
af7cfabec9229b7d21f33e78305e9d6b351080fb3b03e0e2b22053f23d6b37e48480e149552a20744840274e91e1a8c5aacbbea0c46daf0b0a9c9844df90f73e

Download Submit
C:\Users\Admin\Downloads\You-Are-An-Idiot-Vir_eejUzc4HeL.zip

Filesize
6.1MB

MD5
6e053cf9873cfb069a39cc217b86d456

SHA1
32c4896ebce68274cc4f25f9c3dfe8436fcf5239

SHA256
40c66b10b480cbb320a2ae466141472674ad19c4e5aea87ac9079cf212efddea

SHA512
611c7d0d47a44f1dbbd0aa64f1996e5a8b40805d86cb5c4cb223d7e6c7fd04b80e8235beb867e2a2d4cfef9372e6095ad9ba04770a50f04446fb3cf8050d3f5f

Download Submit
memory/2900-455-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2900-532-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4452-530-0x0000000000400000-0x0000000000C08000-memory.dmp

Filesize
8.0MB

Download
memory/4452-531-0x0000000000400000-0x0000000000C08000-memory.dmp

Filesize
8.0MB

Download
memory/4452-534-0x0000000000400000-0x0000000000C08000-memory.dmp

Filesize
8.0MB

Download
memory/4732-533-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download