mercurialgrabber | hxxps://www[.]mediafire[.]com/file/ixmk6a4gc5na0fs/Executor_by_hubguy[.]zip/file

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Bootstrapper.exe

Looks for VMWare Tools registry key 2 TTPs 5 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Bootstrapper.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bootstrapper.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
245	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 10 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Bootstrapper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Bootstrapper.exe

Enumerates system info in registry 2 TTPs 23 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Bootstrapper.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "8"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4632	msedge.exe
4632	msedge.exe
4656	msedge.exe
4656	msedge.exe
4696	identity_helper.exe
4696	identity_helper.exe
5340	msedge.exe
5340	msedge.exe
5632	msedge.exe
5632	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	Bootstrapper.exe
Token: SeDebugPrivilege	3952	Bootstrapper.exe
Token: SeDebugPrivilege	2240	Bootstrapper.exe
Token: SeDebugPrivilege	5988	Bootstrapper.exe
Token: SeDebugPrivilege	5416	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3616	4656	msedge.exe	85
PID 4656 wrote to memory of 3616	4656	msedge.exe	85
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 2088	4656	msedge.exe	86
PID 4656 wrote to memory of 4632	4656	msedge.exe	87
PID 4656 wrote to memory of 4632	4656	msedge.exe	87
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88
PID 4656 wrote to memory of 2388	4656	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbef3046f8,0x7ffbef304708,0x7ffbef304718
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=180 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5389796324384687131,8326666697251116196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5788

C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe
"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion