c9cc5ad5b497e4b3c93f7708a4a930dc969b4ee4d3408848b818ab32dcf7b5fb

Resubmissions

02/08/2024, 22:18

240802-178gfsxepa 5

02/08/2024, 22:15

240802-16bfbsxdra 6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prism Loader.exe
Size

12.0MB
MD5

219aec1f47aa31c565d6eb1c986f479d
SHA1

94fdce9086e955b6b7308b9403a0c05cf9d94bd1
SHA256

c9cc5ad5b497e4b3c93f7708a4a930dc969b4ee4d3408848b818ab32dcf7b5fb
SHA512

77142e6901e157f7931e7b73a107fd90ab433f2bb523cf07a37b59c1511e2b6137ae8e83903dc4c1ff381377c70120faa853e0f7c4bf75a71d9566fdf0254c43
SSDEEP

196608:m5Wv/A6YwfkZQA4LchEGyHJ594kkJH9OczI5L8Ywt6XVKIdqCWx3c1:nNsGbGyp593ck0QKIdSBc

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1804	Prism Loader.exe
1804	Prism Loader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{B713E39D-2D61-4D43-8FD8-72A4460C4AAE}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1804	Prism Loader.exe
1804	Prism Loader.exe
4348	msedge.exe
4348	msedge.exe
1680	msedge.exe
1680	msedge.exe
3572	identity_helper.exe
3572	identity_helper.exe
764	msedge.exe
764	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	408	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1804	Prism Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1544	1680	msedge.exe	88
PID 1680 wrote to memory of 1544	1680	msedge.exe	88
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 2416	1680	msedge.exe	89
PID 1680 wrote to memory of 4348	1680	msedge.exe	90
PID 1680 wrote to memory of 4348	1680	msedge.exe	90
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91
PID 1680 wrote to memory of 4848	1680	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\Prism Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf89b46f8,0x7ffdf89b4708,0x7ffdf89b4718
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15933263801265561909,8941527003525540970,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

Filesize
92KB

MD5
007c71f21a67615a308da5ee5f416cf8

SHA1
baa8ccf84fc23426cfe31177d396752b657e12d9

SHA256
a8fd3edd1c764c7e837bca3450cb911593ef237a1f4fbe261d0f4c2fb6feada5

SHA512
f502844f91d0d6577d941dc6146a5144aca3eb6cd2c02c4b3593cd4e2f54653749ae736c9ab6268c913b1e58a707162bf6fbff20dc874f00d27c593e314eeabe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f4c0ce3b1954a38945800d807ffe4851

SHA1
ac54c4eec0f94dc1a087ba377af707ec81961d44

SHA256
d03e529c444d5597c23edb179dbb1630e66efd3f708f7b4b2dd8715b39abe0e6

SHA512
5ca198e8c3d6845ffefd43db323d0b9cd3b22b7ee6da00d5eedf3fcb3e9eddc062264809f95aa103af01028c21e5d0aabf1007e1aba8b69ab6d7908dee6303bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
123b7ab190ed5edc92af3294c51f9486

SHA1
3bb25d1cda614c8a757202235cd5db2fc13baeab

SHA256
ff54cc8b3298a0faf78a9597eebd42aa22476f063affe7efedf2d488198025e5

SHA512
59c39037784e450c299cf70d6d331128462c4081ee54db51fdd9fe75a394f6888592c7e3c5665abbbd36ea3b26c6281bed4f7c44635ddd2f6b8e5c8405e8b125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
0b95116789b0fd59b5adba285f445434

SHA1
28aca6d9408b1f7f08fc89e87d02f04a15c81627

SHA256
b8a4f5cf4eab5139138bc48688dacf72f532b310bf47f05b3f8827400ae72082

SHA512
dfe33be1a72a6e1de55aa27add03fc338b0b8365a02fc49be8f47586836583832c7285e0dc70dcb77cfd589ce9cd7570ce93a439f641f81a8f564f7434fe5cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7baef278c57a027a5bb34ec177accea0

SHA1
09afd932dc3accfbbf7c0021854cb393d3e331d5

SHA256
9c7889c9d8d54ca54e7016270e6dec112b4794b2d2cb10a9ce686c98c192f3fb

SHA512
0503c3f15b95ad1fa316de28fe1e1ae9aa41bbe3016ea8002887e9af0e044fc170aad10c0f1df5e9442a5a166d7476677a915f334bcbc595eb17d15a7b445ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c08456999acb971b5844ee1d0e79f378

SHA1
690bda13ea052d703ebbe178effb00ca98331e62

SHA256
5edbbcfdeae63b29ccfce8156e697af2afaa184259176295a54140761e3b2736

SHA512
0a0cb51966b4fffe7d20561056d32312823d8ed01597f6a7bcfadcea65e1f51a04be8227a1d5d59df61af9c8aa70eed7877a6b26f19789f4cc46ec4fef2ce7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c1534a8a0fc49f959c7bf3f551b22d6e

SHA1
c4cb7788ce502ce7469c441ca3471a1df743e2cf

SHA256
9a81a4a85d38c2d3803c3be1d394f811b42d2c5267a2af94e772a068e67e7613

SHA512
1decfc8f44618e2c3490a0f31f08ffd28039bfc0cfe9dc5bfc29ff44c559bdbb1dfc766700594b79e4770349ef754a3f4391ca4fdb5d284dfad4a693631d3034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
38ff5e14055b39df9e4b0a0d03eaa78a

SHA1
a5b7168bce10dac69023e6b2ff965aed289ba552

SHA256
7392b6beb7563d371357ce9ea452682f2e15aaa9fa4346fc41e06f17bc0c19a8

SHA512
dfaef18f4b5fcf959771d7c728313763ca1d8a495bb2b727b695823a9c3ab9144ca0c1ec9e07cfc1d1738899176c6f5fa90fba47c2af63d8480b1ea73caa73e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31db29b952363178ec82679d14687cf0

SHA1
6af44ce37abb33d9651638b6c5f26f6da6ea30f7

SHA256
5896a72a421df54bfd01ff7ebcac071ef65c9e38d73c80b73de1be65c158849a

SHA512
76f568570f99c6842bcfa4a5ffad28f55c96fb1d523af4031d04dea62f8291e25fbdce45ef4d15cb7af811ae19d52f3ef9f15df362876e99c04b546fb1899aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
d0730288719d6f0c3f682a5379ad9199

SHA1
cacafb8d065e0624aa81ded4e0e1091178a743e5

SHA256
bd4dbd997023ce719e595d4f9897b613c84cd428d770c201d727ba47feef5798

SHA512
3652a205215009f8d8db72a957432964a94f0e329e7ddc89b42021f166d393b170ba2589c079976d0a77a1aadd413fc7a43d7edb6aa7d5d7cc48c2d4f706be3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
b9ebb945f0018e09c4084577841d1b50

SHA1
7a475120f198e2939d5651dbb58e83e1ba457135

SHA256
d1430443000125d4168019460a23e73af62959c76f28d275e92994f46d1aef6a

SHA512
8e69aedb0b2af8fdd0ba5a9453733e85282eae566cfecf1c927564eb2e3d52c48924f158962ee91d8d7334e0f3dadb6e1bdb412a8520df5e3fc066d11f03dc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586d6b.TMP

Filesize
48B

MD5
d1641f0473525e1f77eef8af48706f48

SHA1
11cfa065b9f4292be4b66769a0913a8f6dcb146f

SHA256
ba8265717aac8ae7ed6ee06c90f748f9b74b9b7af21b7119a9f418dd125cfe76

SHA512
527185d0bb5082bfe5271892db314e88741a63b7f5d2847fbefb37aac9923aaf0897024a4582ad5120298df43a8b7d8de76333eb97602d0d2392f32ae7fc36bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74c609b8a4f5d2878a16a794d1f33500

SHA1
f7297361ccdafe4066496569a8acff880bd8e031

SHA256
d30dce755fcdbaacb1ef51404580597485ac42013d5f4f74fbec03c58f832901

SHA512
5fb2fdec5dd9ca4fab5d1ad8987d70cbe3eff57c83d86c53410db91d3eca99492b3fe22cc2ba550ee2d2bd6a30e0570231c85cbe1ad2473ab9ef584e9a2e66be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13373bfff6a474c6befcda1953d4d3fd

SHA1
c7de561da9f6a1345c749d9f6714595afd36eae4

SHA256
82013e1165d5d33d17aac3b0b7a0118e106905f5a4710665de3def03003acc90

SHA512
c563e0d2ea11e70b64ec3e9d32a102629fc2eafccae6e1a91af7d6faa3cf9ecfb0bfc45301d8e381df6d0a565b16e67abe24e77a10ce3794baf00211bb028e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ffc9947598c628c956d49603a0b27346

SHA1
ad86870fa13e950c4ad31937eca6e2a1bb90f75f

SHA256
99eae8209990237050ff577dd8e3955545701907067deb1fbeb4ec2000076766

SHA512
917c65684adc9fe28fefcbc8a446179c1c5d11f7bc7fcb1c32234bded7a5a47a27dbd840495f24abf3cf62d6b3b6a58516e6321d55b30e465892be60a7b6616f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584409.TMP

Filesize
870B

MD5
33ea755d3d5d7ed7af2e9e4d59e4db3e

SHA1
1c46c8227204f5c11de28f308cf2e22ef13a1856

SHA256
973379d6a42c5607fa7c84a1f29d22106946b72a720d86c4d24df4c4ee67238d

SHA512
ea0a3928d7fb2db260ce1648c250171fafa2d456900776bf19838bdbaf935e30c66419b5c2795161115438ff06f86f880f5dd8ab339a3b50e7cc5299a179d21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dffb8f8769a495d4baa0055bd441a198

SHA1
7d262b932c58d40942bd7fd3758a46dcd883b83c

SHA256
1d8ea27f7af18bdff2ab12f653087e7823d329d3e6ba7557e172676c4e889bda

SHA512
a7e94a1f2fcb6ee0bc0142772cf74207fe142c5f346e40c39f849a199e9aa26a1485271ba9772dd3d90638f28d5e2454d3b33243d392f9d5f65ba6fe9bd91403

Download Submit
memory/1804-4-0x00007FFE07BC0000-0x00007FFE07BC2000-memory.dmp

Filesize
8KB

Download
memory/1804-14-0x00007FFE07C60000-0x00007FFE07C62000-memory.dmp

Filesize
8KB

Download
memory/1804-34-0x000001953FFD0000-0x000001953FFEA000-memory.dmp

Filesize
104KB

Download
memory/1804-38-0x00007FF699C50000-0x00007FF69B041000-memory.dmp

Filesize
19.9MB

Download
memory/1804-33-0x0000019541820000-0x00000195418AE000-memory.dmp

Filesize
568KB

Download
memory/1804-27-0x000001953FFD0000-0x000001953FFEA000-memory.dmp

Filesize
104KB

Download
memory/1804-41-0x00007FF699CA5000-0x00007FF69A439000-memory.dmp

Filesize
7.6MB

Download
memory/1804-20-0x00007FFE07CC0000-0x00007FFE07CC2000-memory.dmp

Filesize
8KB

Download
memory/1804-21-0x0000019541820000-0x00000195418AE000-memory.dmp

Filesize
568KB

Download
memory/1804-19-0x00007FFE07CB0000-0x00007FFE07CB2000-memory.dmp

Filesize
8KB

Download
memory/1804-18-0x00007FFE07CA0000-0x00007FFE07CA2000-memory.dmp

Filesize
8KB

Download
memory/1804-17-0x00007FFE07C90000-0x00007FFE07C92000-memory.dmp

Filesize
8KB

Download
memory/1804-16-0x00007FFE07C80000-0x00007FFE07C82000-memory.dmp

Filesize
8KB

Download
memory/1804-35-0x00000195417B0000-0x00000195417B9000-memory.dmp

Filesize
36KB

Download
memory/1804-15-0x00007FFE07C70000-0x00007FFE07C72000-memory.dmp

Filesize
8KB

Download
memory/1804-3-0x00007FFE07BB0000-0x00007FFE07BB2000-memory.dmp

Filesize
8KB

Download
memory/1804-0-0x00007FF699CA5000-0x00007FF69A439000-memory.dmp

Filesize
7.6MB

Download
memory/1804-5-0x00007FFE07BD0000-0x00007FFE07BD2000-memory.dmp

Filesize
8KB

Download
memory/1804-7-0x00007FFE07BF0000-0x00007FFE07BF2000-memory.dmp

Filesize
8KB

Download
memory/1804-8-0x00007FFE07C00000-0x00007FFE07C02000-memory.dmp

Filesize
8KB

Download
memory/1804-9-0x00007FFE07C10000-0x00007FFE07C12000-memory.dmp

Filesize
8KB

Download
memory/1804-10-0x00007FFE07C20000-0x00007FFE07C22000-memory.dmp

Filesize
8KB

Download
memory/1804-13-0x00007FFE07C50000-0x00007FFE07C52000-memory.dmp

Filesize
8KB

Download
memory/1804-11-0x00007FFE07C30000-0x00007FFE07C32000-memory.dmp

Filesize
8KB

Download
memory/1804-2-0x00007FFE07BA0000-0x00007FFE07BA2000-memory.dmp

Filesize
8KB

Download
memory/1804-12-0x00007FFE07C40000-0x00007FFE07C42000-memory.dmp

Filesize
8KB

Download
memory/1804-6-0x00007FFE07BE0000-0x00007FFE07BE2000-memory.dmp

Filesize
8KB

Download
memory/1804-1-0x00007FFE07B90000-0x00007FFE07B92000-memory.dmp

Filesize
8KB

Download