Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
84s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2025, 03:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file
Resource
win10v2004-20250217-en
General
-
Target
https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file
Malware Config
Extracted
mercurialgrabber
https://dcwh.my/post?uniqueid=7b57f570
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Bootstrapper.exe -
Looks for VMWare Tools registry key 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Bootstrapper.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Bootstrapper.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bootstrapper.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 174 ip4.seeip.org 184 ip-api.com -
Maps connected drives based on registry 3 TTPs 12 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bootstrapper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bootstrapper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bootstrapper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bootstrapper.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bootstrapper.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Bootstrapper.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Bootstrapper.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Bootstrapper.exe -
Enumerates system info in registry 2 TTPs 27 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Bootstrapper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Bootstrapper.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3652 msedge.exe 3652 msedge.exe 1320 msedge.exe 1320 msedge.exe 2684 identity_helper.exe 2684 identity_helper.exe 216 msedge.exe 216 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4988 Bootstrapper.exe Token: SeDebugPrivilege 5276 Bootstrapper.exe Token: SeDebugPrivilege 5712 Bootstrapper.exe Token: SeDebugPrivilege 5868 Bootstrapper.exe Token: SeDebugPrivilege 3032 Bootstrapper.exe Token: SeDebugPrivilege 1648 Bootstrapper.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe 1320 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1932 1320 msedge.exe 88 PID 1320 wrote to memory of 1932 1320 msedge.exe 88 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 1836 1320 msedge.exe 90 PID 1320 wrote to memory of 3652 1320 msedge.exe 91 PID 1320 wrote to memory of 3652 1320 msedge.exe 91 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92 PID 1320 wrote to memory of 3688 1320 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff39d546f8,0x7fff39d54708,0x7fff39d547182⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:82⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6092 /prefetch:82⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵PID:1092
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2684
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3640
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4760
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5276
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\INSTRUCTIONS.txt1⤵PID:5396
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5712
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5868
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58b5cfebecbfd715cf1c2e86aaba6753c
SHA1c2d783bdd82fcfb68e8d566bcd34ead327ed7c13
SHA2566fca1fe2a780fb27f0493353a73b9ae02e9671b51a50b07566a322abe3b25cbf
SHA512b6ba779a8bb083a12f7f100c4c338d5902f2e2762654f70fb578dae4c0dccba1c7eec4cb0b5cbc1d8567fbb02624a077fe9f60573dbd12b78da4e5ae618a751f
-
Filesize
152B
MD5a690d53f0215760186aa07b114ac4561
SHA1601015b3d5837e99e481db0dcdb0ea33fa80cefc
SHA2568ee92ce70ce780b9af998d760d7226892a37c4a7ca5bddfaaaa5da016dbedd93
SHA512935db7966c0c541b2894b83af14586dfffe138a2a18dc60bfd9d076fb724410841b5536261a090ce57525f8a7dc25e4bc3b133fce61569beebf4efb126607a7f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize840B
MD5bba345e1764a55eef47a730ba6a331bf
SHA13bdf4cb644a3e343b6aa1ac11d2008412c0753d7
SHA256616b77578dd88cac31ce278c1c19fbcc4308b63903c480db9765f783c8b4e3fb
SHA5122fe0e199e9a5a15f405c61ba5491311d72fc89db7df2e0b8a879b4d92e84ba4c121885a73a152302a96169f5fd03ad85ff510f6d99eaf07c7f1690b6803f9b93
-
Filesize
3KB
MD517913423d4c7b14d6b944d1a9c138e63
SHA1896b1008b4431f99ec190ccfa6338363ef1bf964
SHA25640427ab52e8367381f9cfa73eea96eebb33bc56968eba017dd9b7c91ac215f6f
SHA5125d5c2d4a3ed595e245ad6d831ec783c904b6f62503a7e568a19f2a0a39c751ff607853ec8030791b6487c6ee9fb1648b58314d73a2b3e33b32ac2e4aa5dfa3ff
-
Filesize
5KB
MD5c94249f2e7055b474dc010c5f5d97202
SHA11281d2e5658fc8feb0f713c28addc4897e78434b
SHA2561e7bd0fc441056cca993b8ce123437b91dfbaab55e23c28a19933c6eb861bb4e
SHA5120af79e407db4457b60b5390aaccfbde203f7a5feb42e948dcef60b4afc8635d9651d183e671a27d37dcfca541a8e255933b0ea531ffb48a1fb696a23a8b3c667
-
Filesize
7KB
MD50af243ec2fcaedbcea5add9ce21c2ce0
SHA1f75b46eb31e03d14a795f1dfc9527ce532c2194d
SHA2563f589a2a14af4966b7bb9c6744c7ed4b45b7cf6bd2a0305822280de58a526753
SHA51210d1c33b453001b0fff7bef9b1fda27f08a54692e8a831b42f512b30fd502335820a29f6b885cb8d2166548fea0cf84508e051d4d66619a88fc21f4dd029af24
-
Filesize
24KB
MD59ac7d64ba533facf33c12b2972d57175
SHA10ebaf3c94cc3e9b9b02d7547a09bb717a947fdb3
SHA2563a40027ca447bdbc4a277cc817c600cb359e26ff350c7bacf4c87e8b35f556a2
SHA51296c4f83e1963bc4f6367b8916a97c8185cdbd9e33dcc89a541f1688103296226c017c84e3e41fbaff1ed197563871183f620562a02f1f0bcdee117247a878e91
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52057652d9c97da3cddaaf146b43dd99b
SHA12afd4aa5e13c1951bd8f6b84b3778742160b2567
SHA2562c5b3e52e0ef7020d57265f4fad75023d8a070f77515dfba30e12beee2e6456d
SHA51277f4d2480e708991ab2e410272b3f612055bc9559e7c881b21b88f2a77b9943e81cf8af5c34f0b54c733680204cf577b4cf8273f66b044a9d12bbe0e316f9549
-
Filesize
10KB
MD57228807ee8f2e8efdcddc2954724f148
SHA1b4cad0ba2f58d531c93db42f8e1207c10eb5f130
SHA256d873c83653a7ff679f45b29b92a96d83407938218c79dd195ac15a17e1a17f08
SHA5122c420178882da54e1a406f9e4321051c2c58577a5e85e1aa34e294e45a3362744d6bcd54168fa46e2d537599cb90de4cc0c7525275ad0bdf81832950f9e8c653
-
Filesize
20KB
MD57878443b620a278a050dbe62c8261cb9
SHA12edfaf71bbfc38656b0ceac176891ec4eee8df67
SHA256243825d65df708eb8e6d3f32b6cbaf3d67b36a6f26fdaca9b0df3b6aadabd2d8
SHA512a8eb0f11478b60967a6c85953f8c5967af081c78c10791c12fa92e1d242724f44edd83be0bfdd07238de5fb7511c380df3a102a39590de215bb15994ede62dd6