hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbmJtSVM1MThVdWZXZ2VHMFdKMEhHSERzX1dSZ3xBQ3Jtc0ttT3REWllBOVFteUR1WWR1OGxBSHdLN3owNU5DTlBsWU5ZczJNRFdHczNzS2hENTUxcXFfOGZTSUFZVHFaaVROWVJGbk5ja0FRZ3Q5REJvMi1tQU1hM0VEVUpKMmxVQWtFVmRBYXpRM3BacTBiQ0pRQQ&q=http%3A%2F%2Fapps[.]evozi[.]com%2Fapk-downloader%2F%3Fid%3Dcom[.]roblox[.]roblox_client&v=6oUbKgs_Y2Q

Analysis

max time kernel
73s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmJtSVM1MThVdWZXZ2VHMFdKMEhHSERzX1dSZ3xBQ3Jtc0ttT3REWllBOVFteUR1WWR1OGxBSHdLN3owNU5DTlBsWU5ZczJNRFdHczNzS2hENTUxcXFfOGZTSUFZVHFaaVROWVJGbk5ja0FRZ3Q5REJvMi1tQU1hM0VEVUpKMmxVQWtFVmRBYXpRM3BacTBiQ0pRQQ&q=http%3A%2F%2Fapps.evozi.com%2Fapk-downloader%2F%3Fid%3Dcom.roblox.roblox_client&v=6oUbKgs_Y2Q

Score

5^/10

Malware Config

Signatures

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	71	https://apps.evozi.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8a76cdfe5809bd77	5

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2532	msedge.exe
2532	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2248	2532	msedge.exe	85
PID 2532 wrote to memory of 2248	2532	msedge.exe	85
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2168	2532	msedge.exe	87
PID 2532 wrote to memory of 2728	2532	msedge.exe	88
PID 2532 wrote to memory of 2728	2532	msedge.exe	88
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89
PID 2532 wrote to memory of 2932	2532	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmJtSVM1MThVdWZXZ2VHMFdKMEhHSERzX1dSZ3xBQ3Jtc0ttT3REWllBOVFteUR1WWR1OGxBSHdLN3owNU5DTlBsWU5ZczJNRFdHczNzS2hENTUxcXFfOGZTSUFZVHFaaVROWVJGbk5ja0FRZ3Q5REJvMi1tQU1hM0VEVUpKMmxVQWtFVmRBYXpRM3BacTBiQ0pRQQ&q=http%3A%2F%2Fapps.evozi.com%2Fapk-downloader%2F%3Fid%3Dcom.roblox.roblox_client&v=6oUbKgs_Y2Q
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff946d946f8,0x7ff946d94708,0x7ff946d94718
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13056430460179818719,438858494333448761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:5564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x50c
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7ad6311a-0cfb-4a3a-9a4c-8ecab270d17f.tmp

Filesize
5KB

MD5
e396bc9ceaf86c7d3da3a351eb8c8295

SHA1
fd1c87410109e3881d67b9b38cc223ea0a0ec6da

SHA256
578e8c284231e69db4ce6602751ff54eff2a88d059393d2506a57452cd761d5c

SHA512
23b30c8f05244108485a57909fcd1486ed2e582bb325e37f963e661cacca81d285ab788453a3b98c2ef508d7eb270a85758a559ce7985119ba00b134f7822e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dcbc2e497b529274388898510cfe2a2f

SHA1
4d86c1f93988a00e07f441e9cadc9415d190f3a7

SHA256
5e03d2becb94a3123fc7fc586bd1ca190a3dda4ee76f77e17c8d7f63d76c7e3c

SHA512
1bc208d8e2ec813bc33b99bcad6dd2fec7149aed8541048038831aa6270366ca693057ca630e9e093a740e67fe2b04752e97e439cc1b1958b6e9fa1ff767cd25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
ce550d71cc566628ab4c7eb92b5c1b90

SHA1
65047f555272c6aea53e6dd6bf985d7a1ffd54e3

SHA256
fa79a108cce3439e76dd7f1a6ee079679ce5974be57fc4091fa43bce870a1d2e

SHA512
02440108f0e3032ccb5191d244b7ebfd99402897f33c225f70da55ee4a95a6ffb4a5be222aa5db5f792b543d80af757e971e6aaa4e87c2a3dc209559a15f69c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44d19fe93ee97b26ef92d244acab30f3

SHA1
ae6ec0f0789944edcb687e07eb68b3cf59b1a45b

SHA256
607ea40e6396d30ef622c330130fc3da0ac6aaab5380f5d0395fd6254ea1bbd8

SHA512
e98486033e8403b9dbf1a5b448271053e59b47d3c95d2f02bd0fba0347a1d3ef53accd4e5ad884fc122f790019ad045c44a85f0e723bd477a57c27f9ad769772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fe9e2a8d571cbb1db065aa6ccaf8d97e

SHA1
6852bcf03127eefdfbb8c651951f0d96dbccc8ab

SHA256
c0baca6bc9eff839bbf9e05ca0e9ff26edcde97f8612aeacb814b67ac2e515c3

SHA512
ad0956552d905e8fc2396eb047e66b7f9fd60994b31ff304dd72faf5c08661de75cb9d26a105c76192e5301eec6ea68be3486066434481926a354c6d0579f416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
252c1f3e120258b5a92061bb4da7f589

SHA1
91948061d3fd46f409363672046ca1cf9afa03a9

SHA256
f07dd1a654914ea043a5e816149ad9d9d9010c6449dbac91a7c9a04f97b938dc

SHA512
1b25a9ccf287ed33288d39d3297c72021ea49edda3703c2b9f5db2b1626cf348486fbc1ff96b498e19917134f046826aed29bbea3e60e5bf21b0d69840d08913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe587cfb.TMP

Filesize
89B

MD5
1bf9328e9b533718ed1be8cdadeffd82

SHA1
de69c0bfaeeead837e7e622fb1527e766f851812

SHA256
b4e14d34316522f3695f71b61c471c42f90eb626f3dfa22848e337997ed2f72c

SHA512
8a2bf90cd581da789eb503b1774ae425503eae539c4238539df312df68c0e31e196d805f17078f23f25f17cdbf91443d7603fe0e71750cc0736269c8aecffa8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e2ca8e9cba14d5c340af395e5d65a24

SHA1
187068f18d199fc87e5c1c362b4f84d3744d68b6

SHA256
1b9773d726236fffdafacfd4ebb19163279b1676d3a2477b8bbd8f22bfc53070

SHA512
aab450782fbe0ce1ea8b2eb5ae58f6d286f4e0a6d4ec38c2d60275d6f8022974dfc2fc96a3ae7889689f26880060060cc53aa601db1d1e1a5d6fc1996a708956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585697.TMP

Filesize
539B

MD5
2f7888720e5eb90962dab0db20825be2

SHA1
d427a0834fb5a1350fedc2f8ad036b05347ce432

SHA256
5b4812aadee280ff4e7d7fd4a30c1c898b9d8b04df966197a494aefebc89cdf7

SHA512
294d26a175e18bb2706d3fe5037fd2ef2bc429947848155a69664724d5526ddf78de90873fb1ff0ad76dae1494f19aed5e3c11ff08d2f40acd0863f46e37ca1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
001e22c2c16d1c967b67b51a7632c25e

SHA1
d79498d468944e0b2abdec26eff35264c8a5c316

SHA256
c8368eb42478e625b259ebfbc9fb60ada447b08d39f2fb1e65e69ce1bd29bb5c

SHA512
454e100676e4019fe04a4e26214ee94caaa4df4790dce407bcff25e09e73c3308c82d7c875bf6a536b3cc8ed6dc3d8d09807a454e32386d0697783449a510eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit