Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 17:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Naollyy/Tiktok-ViewBot-V2/blob/main/Tiktok-ViewBot-V2.exe
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/Naollyy/Tiktok-ViewBot-V2/blob/main/Tiktok-ViewBot-V2.exe
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1235250283941199912/9Yk7ttCAeq66yU9zbequecplJP2FjHAM5chfXSN5hdQ-6GtoReQAV8u8A5YhrGse-PQg
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Tiktok-ViewBot-V2.exe -
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Tiktok-ViewBot-V2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Tiktok-ViewBot-V2.exe -
Executes dropped EXE 2 IoCs
pid Process 5472 Tiktok-ViewBot-V2.exe 5692 Tiktok-ViewBot-V2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 89 discord.com 64 raw.githubusercontent.com 65 raw.githubusercontent.com 81 discord.com 83 discord.com 85 discord.com 88 discord.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 76 ip4.seeip.org 77 ip4.seeip.org 78 ip-api.com 84 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Tiktok-ViewBot-V2.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Tiktok-ViewBot-V2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Tiktok-ViewBot-V2.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Tiktok-ViewBot-V2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Tiktok-ViewBot-V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Tiktok-ViewBot-V2.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 764942.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 632 msedge.exe 632 msedge.exe 1068 msedge.exe 1068 msedge.exe 4728 identity_helper.exe 4728 identity_helper.exe 5360 msedge.exe 5360 msedge.exe 5264 msedge.exe 5264 msedge.exe 5264 msedge.exe 5264 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5472 Tiktok-ViewBot-V2.exe Token: SeDebugPrivilege 5692 Tiktok-ViewBot-V2.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 4180 1068 msedge.exe 83 PID 1068 wrote to memory of 4180 1068 msedge.exe 83 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 4312 1068 msedge.exe 84 PID 1068 wrote to memory of 632 1068 msedge.exe 85 PID 1068 wrote to memory of 632 1068 msedge.exe 85 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86 PID 1068 wrote to memory of 2600 1068 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Naollyy/Tiktok-ViewBot-V2/blob/main/Tiktok-ViewBot-V2.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd92c546f8,0x7ffd92c54708,0x7ffd92c547182⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4964 /prefetch:82⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6296 /prefetch:82⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5360
-
-
C:\Users\Admin\Downloads\Tiktok-ViewBot-V2.exe"C:\Users\Admin\Downloads\Tiktok-ViewBot-V2.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
-
C:\Users\Admin\Downloads\Tiktok-ViewBot-V2.exe"C:\Users\Admin\Downloads\Tiktok-ViewBot-V2.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14327007135392329722,7819492423541409657,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4812 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5264
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1708
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD52356eed2f9074e157c2411be024bb49e
SHA16e446956ebe04cf976fd2c63ccbde9c355f3bfdc
SHA256fc74c28c224102dd067ead57ea390c289db5c0a39f2e0413fab7e50b2e813db3
SHA5126cd55bf8be963cbf66a9bf2d9552b8980af4eb76263d9a9dcf827fe7fff90bda7d5de87eef82fe5250a6ae5d4ea371ab4441e503e53eaebad720adfc0478cab1
-
Filesize
579B
MD5454e7cd4fbb0751ffa354ec86870a258
SHA1716d6739a2a278446c3e9c16cb72d996d042bc89
SHA2569cbad050449dd86a473ca97a90c4b4f6076f3174f52ae515de52cb4793f3d5ca
SHA51283e6e36c576ef32a555d6a6e3ed9fe4ad51d7681bbfcc6421c29b15cadb0bcc918e4a9d6388ca0e1a1ca750830164ef64ca8015d07a0a2b8ec81fb17c5bc6f87
-
Filesize
5KB
MD507994431000f7d0345db7fc6a17425b0
SHA10acdca3e22d20ec5d9bdbbfcde0c1cedff7e9ade
SHA256bba810556d7f1066e902a496f7caaa581c44d3a9a9aa46497ce26567519837ed
SHA512eaef96914935751ffb9fe489481d810bc6536dfef4d8a23070c6dae17e8fc6a7750ca998e05d09f11441cfca999270e89a5661e3a4a728e07ecd984081006a3f
-
Filesize
6KB
MD5a8e009c64a6621c5e0d14b141d2803f7
SHA1cf87b33c12a6bfa957630ce52e7714b19fb3dfee
SHA256e935577e193ac032b3dc30447c2ec6561b92cfeee3ae5b1b0905c570091ad148
SHA5122ee5cdb6bad7787cbeca0ea03ba57699e73043cbb8905d3fc2c03c8d5e2dfc725d75c1580946f3d8e0eff1083c02a017a730cda418cf7f55c57b5afcff665687
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dca8ae507271cd0f94ff1f7cc6d0afae
SHA14de9d4dc48e491e4fc4180540fb99fd4656b7600
SHA256d443837161fce28835e2f748169fed5483d9162ac6c648cc906f743638f1104e
SHA5125f5ca9cae30ce64f821780358718c304ab7c02e80d92772d0af7ee8ba02c3a104d2ebd77546d85ce3f6edd117c66b028ca0b8ffa58544fbb95ef38201169c51c
-
Filesize
11KB
MD588495e3c63fcf135fa9948c4e6eecd27
SHA163c735560451adc73c1669f880eeb4ec75827ba6
SHA256de3c325a7fe980ffd304aad51eb98a724a8b582b3bb3af809c7ca10bb718ccf7
SHA5126310071089283cf831f97dce4d6117fe69751597a119cc0084b147c5a68561f7f265d058a8f4bd762d0ffa68b00133d01584c801e9f84ccd07781a2a5bc907f4
-
Filesize
108KB
MD5b1c63d6e778a0e0bcde22a8b7c2e8d77
SHA1ad2f4c0b5ddeec2c0d608816cb3fcaae4d0acec0
SHA256f1a87162f13f32757124f6eb270efe657e7f3a1e612ebf5f9c243f4f8668542e
SHA512c15350e1608a827263050385fe741d0439536873506d2c2b8aa8e44bcb1f1f7e1533e7f169acf5f6ed2b91bb7def0bec2dd80bdff9a9d3cc5fd382d0e9a8c967