Analysis
-
max time kernel
86s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 21:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/pepeleaks/Wizard-Crypter
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/pepeleaks/Wizard-Crypter
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Wizard_Crypter.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wizard_Crypter.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Wizard_Crypter.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wizard_Crypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wizard_Crypter.exe -
Executes dropped EXE 1 IoCs
Processes:
Wizard_Crypter.exepid process 5752 Wizard_Crypter.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Wizard_Crypter.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine Wizard_Crypter.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 33 camo.githubusercontent.com 56 raw.githubusercontent.com 57 raw.githubusercontent.com 31 camo.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Wizard_Crypter.exepid process 5752 Wizard_Crypter.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 463649.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exetaskmgr.exemsedge.exeWizard_Crypter.exepid process 4684 msedge.exe 4684 msedge.exe 2276 msedge.exe 2276 msedge.exe 468 identity_helper.exe 468 identity_helper.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5552 msedge.exe 5552 msedge.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5752 Wizard_Crypter.exe 5752 Wizard_Crypter.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskmgr.exeWizard_Crypter.exedescription pid process Token: SeDebugPrivilege 5360 taskmgr.exe Token: SeSystemProfilePrivilege 5360 taskmgr.exe Token: SeCreateGlobalPrivilege 5360 taskmgr.exe Token: SeDebugPrivilege 5752 Wizard_Crypter.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 2276 msedge.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 2276 msedge.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2276 wrote to memory of 2452 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2452 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 2624 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4684 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4684 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe PID 2276 wrote to memory of 4292 2276 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pepeleaks/Wizard-Crypter1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83e1046f8,0x7ff83e104708,0x7ff83e1047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4792 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,14561244843320019880,7469782920380615932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Wizard_Crypter.exe"C:\Users\Admin\Downloads\Wizard_Crypter.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5afb8ccd92ba738631394d2c1c9c4f219
SHA1e1c1ea1659007428107a342f257d5435ad24e42a
SHA256af0f4c6c3538cd3443cf6453f0a2da53a75700bb54b21e88816ffa004932c8c5
SHA512ed9a8390b79cab8141505a35e60367702a422fd1170a19f1d641cf619504280214bd92a3827457363dc1de1909c47727091a53942fb261ea7f0264b981ed205c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
663B
MD5c743078b7ec8c84eed2101a27e7d5e59
SHA1f21d142600283ad60c57823430501532329e62ea
SHA2563652dc24b68e730c8d3a935e8095f55ecff51c0ef6d441b8bfb6b8b686f5a465
SHA5125d61d62a40fb2658fcdb4585d2bb1fa4563314e87629c86e54183493f04530631fedda3b30face207cfc8f117179ca0c8313519bd824af4d09b4f35404cc4eda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52f1ce53ce7580b8e4ced6498a3de0d6f
SHA141167e2430c46d973b63dd716255275d9d53bbfc
SHA256b4141d121e1a0b81aede293aca9e4a913b130121ecc62c95297777c571d659c6
SHA5126e2b2eb8f8c6d2dc5ddca5b38354a83ab2ab6878c0e82ed9cc8743fe2fdfa8b5408794cae4c828a824bd9319801ceaa5dd330aefbe3b6bf43bb0fab74e2e11c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cf6d5b08d6253cf96ae97d4dcaaaaf23
SHA128386e4acebe40b379e3063ffed663305b419e32
SHA2567a2de410894e2e20f2059729b505130ac406f43f16357e20bb4e28108c1bc091
SHA5120ff10f3caf1af37815daeaae809b4c1230323db8b15108079ef63efdaa9322cbd3f9d5f2dbd8d81f0a7e2aeeb40b4d02856d56fe2bef75943e61fca095b01d1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD523836f262b08aef6ffb826ea1c58e2d9
SHA1d9c2699a7aab89fda323005cd23400c6ec678925
SHA256bb81d9de5bcc1a08453498b839a32342fc222c483ade17796070979d52943013
SHA512c7e1d39ba65be643196fe240361b71c9190fcc2765d1c3128741ffe9eb19f13ff2d261c5780e90d40d30944f0eaccd91bcd2b7204d83535d3517de776d7cc47a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD580396a676eba11ab4a57dc3a4390fbfd
SHA1d66534e0daa1fb3f40603a782645a3b0452e598f
SHA25613543baa3c3ab0e1ba42818086d1bb434b098ea00b756cbe3805b796b117eba4
SHA5125ae57e23dc5bf24d21a8f14fba911f1ea2be848ffb4c4fb504304e174018f6ca5dcb2481fb8b7403cbaca35e6ba9f5ee3adca5730a754efbccd75b4e07d02bcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD561bdc6a364b070130901ff22444785f0
SHA1e0aa32f0565568c532e495d006929a5ea0d71459
SHA25655cfa9584a28770ba786aa18e997e24c6f1fec624ffe9df6a822b9f64dcdfb6c
SHA512b5ba79764ac2cf1b5fa568cf6528f8db26d05ead4a0a0993d62f5ee0591056f3cad3e6c99f224cad45852fdb13341f856dd88cb5c8d65fa2c7f70075c8c49b1b
-
C:\Users\Admin\Downloads\Unconfirmed 463649.crdownloadFilesize
8.0MB
MD5b26b293985f7c364210c7cd10730081e
SHA1cb877aac5d4984cdf2916537485749c809e5919c
SHA2565795564a2652877356805490f4d0c918f0512f00f9c0534a029b03fb2400669c
SHA512603799b9a2d0b25282f0e0c3decbfc897b8e4e862f1a334cd333c2dd326b5019b4c60e7e3a97ca7dd5da730b0b2f78a8b9d75c96607f77bed303bcbde2827e23
-
\??\pipe\LOCAL\crashpad_2276_ZZZPZFNQIXMTDKZPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5360-216-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-217-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-219-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-218-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-220-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-214-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-215-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-209-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-208-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5360-210-0x0000023DBA4E0000-0x0000023DBA4E1000-memory.dmpFilesize
4KB
-
memory/5752-260-0x0000000000880000-0x00000000016EE000-memory.dmpFilesize
14.4MB
-
memory/5752-259-0x0000000000880000-0x00000000016EE000-memory.dmpFilesize
14.4MB
-
memory/5752-261-0x0000000008E50000-0x0000000009218000-memory.dmpFilesize
3.8MB
-
memory/5752-262-0x0000000009220000-0x00000000092BC000-memory.dmpFilesize
624KB
-
memory/5752-263-0x0000000009870000-0x0000000009E14000-memory.dmpFilesize
5.6MB
-
memory/5752-264-0x00000000092C0000-0x0000000009352000-memory.dmpFilesize
584KB
-
memory/5752-265-0x0000000007CC0000-0x0000000007CCA000-memory.dmpFilesize
40KB
-
memory/5752-266-0x0000000009510000-0x0000000009566000-memory.dmpFilesize
344KB
-
memory/5752-267-0x0000000009450000-0x0000000009462000-memory.dmpFilesize
72KB
-
memory/5752-268-0x000000000AA10000-0x000000000AA4C000-memory.dmpFilesize
240KB
-
memory/5752-282-0x0000000000880000-0x00000000016EE000-memory.dmpFilesize
14.4MB
-
memory/5752-253-0x0000000000880000-0x00000000016EE000-memory.dmpFilesize
14.4MB