hxxps://github[.]com/pepeleaks/Wizard-Crypter

Resubmissions

04-05-2024 21:46

240504-1m4yjafd32 9

04-05-2024 20:58

240504-zskw6sbb2x 10

Analysis

max time kernel
86s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pepeleaks/Wizard-Crypter

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wizard_Crypter.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wizard_Crypter.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wizard_Crypter.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wizard_Crypter.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wizard_Crypter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wizard_Crypter.exe

Executes dropped EXE 1 IoCs

Processes:

Wizard_Crypter.exe

pid process

5752 Wizard_Crypter.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wizard_Crypter.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine Wizard_Crypter.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

33 camo.githubusercontent.com
56 raw.githubusercontent.com
57 raw.githubusercontent.com
31 camo.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wizard_Crypter.exe

pid process

5752 Wizard_Crypter.exe

pid	process
5752	Wizard_Crypter.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine	Wizard_Crypter.exe

flow	ioc
33	camo.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
31	camo.githubusercontent.com

pid	process
5752	Wizard_Crypter.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 463649.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 463649.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exetaskmgr.exemsedge.exeWizard_Crypter.exe

pid	process
4684	msedge.exe
4684	msedge.exe
2276	msedge.exe
2276	msedge.exe
468	identity_helper.exe
468	identity_helper.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5552	msedge.exe
5552	msedge.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5752	Wizard_Crypter.exe
5752	Wizard_Crypter.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2276 msedge.exe
2276 msedge.exe
2276 msedge.exe
2276 msedge.exe
2276 msedge.exe
2276 msedge.exe
2276 msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskmgr.exeWizard_Crypter.exe

description	pid	process
Token: SeDebugPrivilege	5360	taskmgr.exe
Token: SeSystemProfilePrivilege	5360	taskmgr.exe
Token: SeCreateGlobalPrivilege	5360	taskmgr.exe
Token: SeDebugPrivilege	5752	Wizard_Crypter.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
2276	msedge.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe
5360	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2276 wrote to memory of 2452	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2452	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 2624	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4684	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4684	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe
PID 2276 wrote to memory of 4292	2276	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pepeleaks/Wizard-Crypter
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83e1046f8,0x7ff83e104708,0x7ff83e104718
2⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
2⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
2⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
2⤵
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5552

C:\Users\Admin\Downloads\Wizard_Crypter.exe
"C:\Users\Admin\Downloads\Wizard_Crypter.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
afb8ccd92ba738631394d2c1c9c4f219

SHA1
e1c1ea1659007428107a342f257d5435ad24e42a

SHA256
af0f4c6c3538cd3443cf6453f0a2da53a75700bb54b21e88816ffa004932c8c5

SHA512
ed9a8390b79cab8141505a35e60367702a422fd1170a19f1d641cf619504280214bd92a3827457363dc1de1909c47727091a53942fb261ea7f0264b981ed205c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
663B

MD5
c743078b7ec8c84eed2101a27e7d5e59

SHA1
f21d142600283ad60c57823430501532329e62ea

SHA256
3652dc24b68e730c8d3a935e8095f55ecff51c0ef6d441b8bfb6b8b686f5a465

SHA512
5d61d62a40fb2658fcdb4585d2bb1fa4563314e87629c86e54183493f04530631fedda3b30face207cfc8f117179ca0c8313519bd824af4d09b4f35404cc4eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2f1ce53ce7580b8e4ced6498a3de0d6f

SHA1
41167e2430c46d973b63dd716255275d9d53bbfc

SHA256
b4141d121e1a0b81aede293aca9e4a913b130121ecc62c95297777c571d659c6

SHA512
6e2b2eb8f8c6d2dc5ddca5b38354a83ab2ab6878c0e82ed9cc8743fe2fdfa8b5408794cae4c828a824bd9319801ceaa5dd330aefbe3b6bf43bb0fab74e2e11c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cf6d5b08d6253cf96ae97d4dcaaaaf23

SHA1
28386e4acebe40b379e3063ffed663305b419e32

SHA256
7a2de410894e2e20f2059729b505130ac406f43f16357e20bb4e28108c1bc091

SHA512
0ff10f3caf1af37815daeaae809b4c1230323db8b15108079ef63efdaa9322cbd3f9d5f2dbd8d81f0a7e2aeeb40b4d02856d56fe2bef75943e61fca095b01d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
23836f262b08aef6ffb826ea1c58e2d9

SHA1
d9c2699a7aab89fda323005cd23400c6ec678925

SHA256
bb81d9de5bcc1a08453498b839a32342fc222c483ade17796070979d52943013

SHA512
c7e1d39ba65be643196fe240361b71c9190fcc2765d1c3128741ffe9eb19f13ff2d261c5780e90d40d30944f0eaccd91bcd2b7204d83535d3517de776d7cc47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
80396a676eba11ab4a57dc3a4390fbfd

SHA1
d66534e0daa1fb3f40603a782645a3b0452e598f

SHA256
13543baa3c3ab0e1ba42818086d1bb434b098ea00b756cbe3805b796b117eba4

SHA512
5ae57e23dc5bf24d21a8f14fba911f1ea2be848ffb4c4fb504304e174018f6ca5dcb2481fb8b7403cbaca35e6ba9f5ee3adca5730a754efbccd75b4e07d02bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
61bdc6a364b070130901ff22444785f0

SHA1
e0aa32f0565568c532e495d006929a5ea0d71459

SHA256
55cfa9584a28770ba786aa18e997e24c6f1fec624ffe9df6a822b9f64dcdfb6c

SHA512
b5ba79764ac2cf1b5fa568cf6528f8db26d05ead4a0a0993d62f5ee0591056f3cad3e6c99f224cad45852fdb13341f856dd88cb5c8d65fa2c7f70075c8c49b1b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 463649.crdownload
Filesize
8.0MB

MD5
b26b293985f7c364210c7cd10730081e

SHA1
cb877aac5d4984cdf2916537485749c809e5919c

SHA256
5795564a2652877356805490f4d0c918f0512f00f9c0534a029b03fb2400669c

SHA512
603799b9a2d0b25282f0e0c3decbfc897b8e4e862f1a334cd333c2dd326b5019b4c60e7e3a97ca7dd5da730b0b2f78a8b9d75c96607f77bed303bcbde2827e23

Download Submit
\??\pipe\LOCAL\crashpad_2276_ZZZPZFNQIXMTDKZP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5360-216-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-217-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-219-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-218-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-220-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-214-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-215-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-209-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-208-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5360-210-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmp

Filesize
4KB

Download
memory/5752-260-0x0000000000880000-0x00000000016EE000-memory.dmp

Filesize
14.4MB

Download
memory/5752-259-0x0000000000880000-0x00000000016EE000-memory.dmp

Filesize
14.4MB

Download
memory/5752-261-0x0000000008E50000-0x0000000009218000-memory.dmp

Filesize
3.8MB

Download
memory/5752-262-0x0000000009220000-0x00000000092BC000-memory.dmp

Filesize
624KB

Download
memory/5752-263-0x0000000009870000-0x0000000009E14000-memory.dmp

Filesize
5.6MB

Download
memory/5752-264-0x00000000092C0000-0x0000000009352000-memory.dmp

Filesize
584KB

Download
memory/5752-265-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

Filesize
40KB

Download
memory/5752-266-0x0000000009510000-0x0000000009566000-memory.dmp

Filesize
344KB

Download
memory/5752-267-0x0000000009450000-0x0000000009462000-memory.dmp

Filesize
72KB

Download
memory/5752-268-0x000000000AA10000-0x000000000AA4C000-memory.dmp

Filesize
240KB

Download
memory/5752-282-0x0000000000880000-0x00000000016EE000-memory.dmp

Filesize
14.4MB

Download
memory/5752-253-0x0000000000880000-0x00000000016EE000-memory.dmp

Filesize
14.4MB

Download