hxxps://slat[.]cc/have

Analysis

max time kernel
68s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://slat.cc/have

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
2960	msedge.exe
3312	identity_helper.exe
3312	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3000	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4036	3768	msedge.exe	81
PID 3768 wrote to memory of 4036	3768	msedge.exe	81
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 1916	3768	msedge.exe	83
PID 3768 wrote to memory of 444	3768	msedge.exe	84
PID 3768 wrote to memory of 444	3768	msedge.exe	84
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85
PID 3768 wrote to memory of 3296	3768	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://slat.cc/have
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8222f46f8,0x7ff8222f4708,0x7ff8222f4718
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2360 /prefetch:2
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8585312693515148166,714372792936195497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c78617ec8f88da19254f9ff03312175

SHA1
344e9fed9434d924d1c9f05351259cbc21e434d3

SHA256
3cb47fcdca33bb3c8f4acc98424140987235ad79815da4f0e7593e4591ae90ed

SHA512
5b58675088b0fc2b2d705cb648ea89385b80c7cf908b0f4f95a9acdbd350b50754e1b586202db6a918eef70029fafb210947f3c43c570ecf7657e08939fd7e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
09c7ae658385f6de986103443217840b

SHA1
298d880503edce4413337c09d3525f27a2edcd28

SHA256
91e04ec38abdb0204458543592c4621b7bc0306407884f764aa9596a52454cd7

SHA512
4e1272b209487d1e9e7d8502be49ebce91c76718410e817b3ac7faf47d9b699210aab1b941fbb5ddafc192ddf4b2ba151afd47fab753ec62bc0bca36039c55c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
571KB

MD5
9c215133053676be75f017635cc7a8f4

SHA1
70d3021a7da56f7cc7b47507dc00795503a49e40

SHA256
a795010dbbf63f5a1ed6fa6838a7e2539ffb2782e15f9ff3e5fe37aa61c19cc4

SHA512
c34caa57a95a28610b46c6760d726a1391eee4cf4156b4c53f309020fc341b16e5144057b5f6ff33d6ca8ab9f493b563e0b02c320a5fd12fafcc6fdffe05e98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4f04cf2831edaab36134caf9e5e2b23a

SHA1
6c7e8912d27d840ce1d1f7ea78eb656dc2ed4191

SHA256
2b3569828b720a8da79537b185a71abeed18ee619e59509c0d07f2db72256bba

SHA512
958557e580f255f63e94f307be48a716e006267bb8df11d04035603cc9506cb1644228aafbd6dbebcd3bbf595a6e8479c51213d3bc0d723078a1f66d35c70406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
88059ca08b6dc239c2b5568ea28662ed

SHA1
a520178229ddec5a9ad2d8b747babe087a21afe2

SHA256
2c885b5a438c96708e46b521b70510667a702b5aee2b5dc794fcc7a42ed7502d

SHA512
87a2e13611b53a357c0a638bb21cfd71308855333c5b8d42ad33188dac8216c850c52b495231cd65a526281b6c1ff972b9d5c1d26800eaf83c71f15117ef932a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.tiktok.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
36cb25369583e7fc6dcfce11d1d9ceef

SHA1
607fa47dd4343652d4b55ccf839112f0186483f8

SHA256
a9499e0259537f505e0e8c490f10cac691048ac32d6ab474a5fc46a52fe72801

SHA512
77fb9cd1fa919f85bbfe7020270eb6837332829913db5338b61e7299070ea608ddd60c5c5b9fbdf2bc210b0a97bc1f4636f238d7e453ce4b10929afdaa62b1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be4fb1e9ccf18535baab15b0ad3aeffa

SHA1
53c04810c30e9f0f075d0445d11404046bbb0c59

SHA256
c398e156a9236d21bc62ff5815e9fca97c10f6d31101e449c6d83ceabbbd428f

SHA512
fbde635fd8cc46b244af1ec8265111af88019b214075376e4737bc5fc12a4c07ed2d2d853b4d3592023629e011480df6f57f4b79064b6350490c03167c66d3f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
261b41d91c1efbd250eaa58eb7a469e8

SHA1
f4fe7493df8f0bbd3ccee75fa851e4882a3512bc

SHA256
80c58bf4cd7efa1acb019897dbc2731b5ec4e61df3c2ca4691bc871d73752b36

SHA512
7b8a79e9663fd70e99fa439191702da277269a3f8d838636aeba4fa8e8738b28145290dc32265ef107a1a3037f0559cb834572a20670307e901b157603051f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db6cb31fd26746b49fcbc55ae7e3e0b2

SHA1
e78473cf4b019c4da0e59039fe1bc5df7681493d

SHA256
ea93e96f798e93fa18602c0553f53dc2f492f61f823f3bfd960c0abcae06165b

SHA512
2f5804621738f5a94ec3b09c569bd81aa4fd4dd11c43365fa3cc0632d1a8da419275b3614d8978d5dd898562215bd08bdd70b4cfb59103d2a4291685f254651b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f44bcd07e4e3d03e3cf3e25251e1c578

SHA1
60b38c5881bb954d40abd90bac8da2fb266b7189

SHA256
584aa97c6dd578a9b0ca52d4feaa993d253b742439ba9e3aa3ee1a99fb498012

SHA512
588716f7480647599b1e78d7a01628c8976eae73fcbd830fa5dda961962fcac6c3915daeb4bf16ca21d90ae71ab2db42a5cfc298dd7f43c02f42536693199fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
aec6cafbbd157eb1726865d0ac44b918

SHA1
cbb35a2279938457d5e03b4fc626016821d4f31a

SHA256
60218821ff921d51406974fcdda52e172d1f217720d0f0c95846a3e1a28fc079

SHA512
ea8f21550edbb704f241641e81493eed39002839880d7ffbfcb9fafb28f2ac1be371fbfe8bd5041e7d084a93072a83a0b12814d3f7c8d5766223d08c4c7bc5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\077af08c-89ca-438d-9bff-dcd1e3eedffb\index-dir\the-real-index

Filesize
456B

MD5
46dd3d50514b517792d7122397236e60

SHA1
587f56d6668f5600bfdb94864e297334ed963eaa

SHA256
83a5ec03ddab703b1812fc1aef88f79ac6f50de55574f93de3fca2f4bddb1132

SHA512
8dfe03f4745bd2edfe039aa0ca7ab68dbed6b98afb51ba1291701b0fbcda611b5ba6975a702c262bfbccf4e9f4e7d2be7091e5689217ba7266624137ba65fa32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\077af08c-89ca-438d-9bff-dcd1e3eedffb\index-dir\the-real-index~RFe58720e.TMP

Filesize
48B

MD5
e9f4f81e93eab8da13db69d7df59e60f

SHA1
2134314cdbbbdc2e302a94dfca38d29bfcbfc4d3

SHA256
aef6760a66d6489b1fd3d124be7ac432c590fec0e43ab15e715a719f5cee55f9

SHA512
adbb0fccaa3cfcab3281e4a7c98d9ca54550e1e1ee725df7e4ae94f78d1771c17ff3ddaed9e492f8ec98ef3e3dd154f6203257416ea0f01a07160251ae17af84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\2e6235e9-71ca-4223-a19c-e3412098d822\index-dir\the-real-index

Filesize
72B

MD5
da4eec1d8586b13155477ffcbb1d2c69

SHA1
acc81008576529249af9023cc084a513d52e2c87

SHA256
8e724c2781a330868b9bd530ab2a4839420f85067d71516e9f44e8b1dcb1a4c9

SHA512
9bdcfb7f62856f2c6af1504885c0f578301e5900aac6cf78c5c1028548dfa30d64a5aa9f0823337e332e4fb189101589ef8f3b9ce44461baaf83082b695e7fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\2e6235e9-71ca-4223-a19c-e3412098d822\index-dir\the-real-index~RFe5870c6.TMP

Filesize
48B

MD5
23baddb7de847466ddfbe8f55240600b

SHA1
0247ce0ac2d266fd4d1441d0b59f092d2c3148ca

SHA256
89222c9921a8ffd9872b1f2b9a739373863d6f817592af258c525b54d817d409

SHA512
bc3ffcf5520e3ba9e13fc0cfe4413253665ac3d63d15cf417b8915f8376a4416c99ad2d3ce45b3e4e52d1421aa17d87b25ad02685968bd065aec15d5397d3c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
168B

MD5
48a2ccfcb2eaa6278cafc3f1dc1cf6b7

SHA1
58b7a428ea63e688fadaddca1dd0b954c43bdfe8

SHA256
509559c0e324d4dcd1b654a24df41b0e7729b8d0e50f49589732c1690d9f9f59

SHA512
be870fc7bf84f5c0f2f28f6dd251250e18b76ea5a6f627cb2ed6e63ac97f1d276905b7f35d7f038b3bc7db161b2d533d2b67aa42fe54d5de33b16a6862c9765e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
165B

MD5
4e6665b942524d0539ae24e65ef977ff

SHA1
285f82fa50e119b769497b4fdd3a59dfafba9516

SHA256
1b939e06065ba389108ede0c918ca510b342df90d8d5cf981b5a2ce857b4d20c

SHA512
4214df15dda69ebbfe7c21e62308c74a12f89eb19b6fde3728bd54909eef0de98eeafeb54778ccfd1738f5806b4fb205b94265a360cd56a05081be0f093fea92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt~RFe582296.TMP

Filesize
102B

MD5
c8fca3090bc532f3407fb9e6405bea3b

SHA1
d36d58da5b073dc79f04c9c32c69c10f976225f3

SHA256
ecf380d38a473b79a0b885cb6a0e927da98d36f5d6143456fdd9d99e9370f220

SHA512
ae83ea091e841976b888aea11d5c72a2072f14c562f9e5548d5ae38e9228c848aec1ad3f9e39d575272157de4e8217eee838e332bc001d94967cfea31b94c957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
264B

MD5
20e31b44ff17db2edab65dc7ab0fb0f8

SHA1
40c401991e105fd8e2bb2be0d35cbb8e362d54ac

SHA256
f33fd170c08974b2050a4f06bb8d42e6f2379a39c7804437bda36e9a74e777f1

SHA512
5cd210a93c62cf8cb0d174172ed7391fab7d8289552e3e11e8f722d8bac3931fa97b9b65dad9a06e060c27d090b759a98a996f543e9d49305fd865914dbf1145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5870a7.TMP

Filesize
48B

MD5
b95dff491c9c5d7d17ac76bb70471a19

SHA1
8d56d6f24e1efdbd4e3f630cf83c1d3f840003ea

SHA256
082af2a102b8cf95222d7ca4a59603bfe834fa79046b7e9a15903290ccbb5128

SHA512
cf913342b46f3fc5b05f5b41a666ac08f1a46465166b739db219641601259cd6df742b0b3cc4cf92425613eda6fe06a34d372653ada400f0f3e97018e528e1da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ca104840473a1fa3fb61710e66e8e78

SHA1
791f6c33e4d7866eee5bbe70c6229937c4050ef1

SHA256
cecf4388880dcb1b9ddd7d55c94afa9925935fdbb5a43af6d93d1cf44118a844

SHA512
d0fd5310490c6657c76c134356e16879039714a752faf129fe6d42a5b1604f85946308b1007505da55bff665b8da2ed98d92d9169f9473ef70ecd65320618411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
dc322c08916ce0698e8dce8528bf4590

SHA1
f66e06e3788bd31fc3915a81e5d27cd879101b63

SHA256
c2bf7adee0edf1aa788eab141777f04e3e9d371e65fb0f18262596b5e95c0d5f

SHA512
7119a0428d705bdd14d0f23dcb6a5e4b58c804696be0b9acf818b100be99186d322eec7466c1f44ec7a25a7adee3e3773fb9fed97a4c669121991f36ce221da4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
70167d264fd4946d5bc673d78ba4f2f7

SHA1
711c1c20a214809c2253f7d690858bc379ac1535

SHA256
a98c83f0b58c7c9194d7f95ec595c0985aa516fa1b1d4e2646c876fecd39147a

SHA512
e5912f5647cd4189ba7a35de03d5f19a5f3c3f00b44a4121a661566b6e47c21fa52af1a87ef6ac09f74faa8a5577392bd677063e6327bda5050776cbf5f8442f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ecf65510f34fb08359a26e0a576e4836

SHA1
7e877e16ac5934e624fd6e012d0578c83ac702d7

SHA256
85a8c2ef3e1fce06b5ddca6d37000037b3b1bf85e5cef503714e5da94cc28ad6

SHA512
e0a3d853f74bee0d57af93036e0f6026c2b06ae9f976bed32fb087e6b048350b35f646fd06bbc21ebb50762283c6c26662bb8f7dd9771eed79ab13924f964ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
667ad1b9eeb61310bd0f77f4ecf6acf6

SHA1
84ae70e30f0f209a1486da9d875d46a4e7f25664

SHA256
9bd48f2f892b615c5eaf59ad54fd3345ab987cfee8cef624a2e65549d954ad26

SHA512
7554efdfaead517c3f9bb30b76aad99f6e7db703448ab46bb946ae3097e764ecd614b41980157be7b01de6bc4f4ee0d29eb415b7d5deaee0277620717f3f0684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58195f.TMP

Filesize
1KB

MD5
2ca8aba10240fb3cfae90881ca12af8f

SHA1
3d9455689b3d6569792dcc3d28a22d81234a322b

SHA256
ffa8da3f2898868dd71415fc3eff3b4c04edf9262f4092de25a3f35182839ed8

SHA512
eec13169f7245a8ccd53b2ce10bbeb6833547695e0a1d131c49275bf40a214257309d8525b387dfa449e1f407d916ab4c848f6db86528077ceb0f264e2961dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e1eae674cdec698b618c67cfcfd5788a

SHA1
d24e7479a89ae2fb5717dd4562cdbd1622eb9f2f

SHA256
a030cfe2504a0066e0e6ada09767d26228ddc6a56526297590509a51cf0acd9d

SHA512
4b9f83d4628c28576852028d0e2d13db6a4b90bf5a1b5f3fefe6e9bd78852230745091316826ccac4f8eb867ce155b4ccaf9a28e5ca452c05577d6d848e72f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4980235e40741a33a2032eecec67c2ce

SHA1
605b405218cd5c4ed5e478ffc7f054a7237d2a52

SHA256
82304a207c1cab4b2c5ae71485e74a8f257283e9e5e7320221b9d3afd53ae48d

SHA512
8797687cbda7b247cd9430d2286f4bdcd00b85f9be73fe128e8fa13067973746779f1c68da3530ea0d7cfda224d9eb5638cfabc7a5e686ea539afe8131384eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
d65468485fb2a9ed4a8de43b4643da57

SHA1
d9170dce59d5d6876be6bd8d5f35161e745fc3dc

SHA256
356658619d97ecc8ea11ed51d95a86b8aa81a9ea1f72631e2c3ba39bacf8445c

SHA512
792395ef4c5bbca55ab316adcf62a6a3d82a5646381e9eaa2abc875173b2e8642988a94db2601cd3f6c00c6fddd225fdf4863364208bf05d986e535dea2f70a5

Download Submit