hxxps://github[.]com/banana-glitch/Cryptic-Executor

Analysis

max time kernel
83s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/banana-glitch/Cryptic-Executor

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
36	camo.githubusercontent.com
37	camo.githubusercontent.com
38	camo.githubusercontent.com
34	camo.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5188	NOTEPAD.EXE
5608	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5760	schtasks.exe
5772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
1144	msedge.exe
1144	msedge.exe
2660	identity_helper.exe
2660	identity_helper.exe
2244	msedge.exe
2244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
5188	NOTEPAD.EXE
5188	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5188	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3812	1144	msedge.exe	82
PID 1144 wrote to memory of 3812	1144	msedge.exe	82
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 4176	1144	msedge.exe	83
PID 1144 wrote to memory of 3636	1144	msedge.exe	84
PID 1144 wrote to memory of 3636	1144	msedge.exe	84
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85
PID 1144 wrote to memory of 2052	1144	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/banana-glitch/Cryptic-Executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff540d46f8,0x7fff540d4708,0x7fff540d4718
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,46072257875470645,4290649882553573133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:208

C:\Users\Admin\Downloads\Software\compiler.exe
"C:\Users\Admin\Downloads\Software\compiler.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4020

C:\Users\Admin\Downloads\Software\compiler.exe
"C:\Users\Admin\Downloads\Software\compiler.exe"
1⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Software\Launcher.bat" "
1⤵
PID:2536
- C:\Users\Admin\Downloads\Software\compiler.exe
  compiler.exe conf.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:16 /f /tn GameOptimizerTask_ODA1 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA1.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:16 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Software\Launcher.bat" "
1⤵
PID:1160
- C:\Users\Admin\Downloads\Software\compiler.exe
  compiler.exe conf.txt
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Software\Launcher.bat" "
1⤵
PID:1964
- C:\Users\Admin\Downloads\Software\compiler.exe
  compiler.exe conf.txt
  2⤵
  PID:3132

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" /p C:\Users\Admin\Downloads\Software\Launcher.bat
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5284

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Software\Launcher.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5608

C:\Users\Admin\Downloads\Software\compiler.exe
"C:\Users\Admin\Downloads\Software\compiler.exe"
1⤵
PID:5852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
763108461045fcc95ae042fe6c854997

SHA1
693d1b3fc4755adad1013ef5b870ae14cb6583f8

SHA256
e93d3b6cea549ec347dc4652bfc68e62441f6a8c6bb615f157e526188f0c5e46

SHA512
ee24371940de0fe3b9595368de131cddc8481ba203d6c341621fa38dfb5dda29afd9597929524c68495fdeb309fac9bb5d1dd5e8c180906377081ddc4867627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
580B

MD5
f653e5b7fdd47364eed990b47ad6adf8

SHA1
c137960f9e0ac0a3933641906dd7cffa2a98cbbb

SHA256
22e41995d33737b8283608699c841e817d5a3fa83e808992c0c0337e6011ce18

SHA512
54dc264072938ec6bc106c3b3a6253ba2bcca50b0627c27acac4c6d106c9a86d7edd894be8055a893bf930a87d996d635281bad2c6050f86f6339ad7ec6ca270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b80321af5ba0adee13ac766ccf3bc62

SHA1
33ca497771610810ba6acbf22132dd8fd80c0e99

SHA256
7886f881988fbebb1d6181bba344b0dbf2cc44770b1220e1f34d5b6d02015ba6

SHA512
fe14c7aa9116730dcc8795cc5977697f3bcbb27eac08debce74c76dbc88ea60c495e640b6a40c3c7acbeb959494cdeefdebab43f1c856fad54d18d0b6d84d696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af2e76de0c8ef03da848642ed17edc92

SHA1
080f24aaad22298f8febe4315c7efa8433b2e3c7

SHA256
fd5035a1718d87af425b1c0bdf88d0d21e956ad6377b6adc06893d6a72b6c77b

SHA512
d8407e2e87775c7a02dae3e2ebbc0a1b5b71f217cd9be3ddcba924de4e1a5f5f8bbfa2edab171330e60959fa66bd0e3ecad04bbbed8445e289ac059b268b4b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a1555fe345d4d206aa20b230de764db

SHA1
496239ac5f2401761c386ad1ffa5d26a9e296d20

SHA256
a39fbc4e8846ee9c5d9b822e324af2cd3753bae7aa8e395833855e472e2bab4e

SHA512
e1d69d67da650eb6384f84a71ba08c458a5d4863eaaf9d353c2595231636004fd6fb423954734570ed815a124a212372e301d5a7603fd5a1233fbc9ee75b87cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1562118a3933a930187f972e0facc34

SHA1
dbad8d2a9ed85618163dd1635685c974334c0f2b

SHA256
33cf7f487bc9e0aa8afea54639ca1642236282f85053ac6cf6a0af8fdd09d2c3

SHA512
6a577f8c74eb7040268da7927611fb69c5da0dc6da2dfc5b6c3ce4b29f1e238d12fc12791542b2f82f66d0ed03181642427cf12dcda9ec1c308811fc25269b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59fed36d232d0e908cc2277a7aceb627

SHA1
ef5a221af8a08772e6f03ca8e10694ef743ee79e

SHA256
01b1ffd85e9a4905e77d8b9dd7233491f9883c9a79385139b8226bb17e15cdab

SHA512
acec6a45217f2deb13d31ce208e139813f5e1ea9fed3a3ece444ff3433e33554699b293c49e58ab4b0d3ddfb0006496cfde964ae3c791b09b1d86f4d8aa90f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc4d6d786ba0041b38d959476f558216

SHA1
2572389127b1ea62d1df4bcda825245014176539

SHA256
11e30d8f763a719c2c71d07222ae7f5482a80eb4ed2ee9afc8dc3a0892f66c7b

SHA512
716188ee2033896fdb9654f2e7ec4572ca6b8a796298b58ea4a2dfa602e75b782a7468f05ad34ff6355bfe75250776ddde4d24c064e12ceae22e1c7e85a59ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dca4.TMP

Filesize
1KB

MD5
33c27df209c78f321b251a275eadb2eb

SHA1
ea76e199d475d76a0a548d752bc608deda6928dd

SHA256
f1b58de1a57ffd598ade0f61c41cb7b992bb6daf52a86dde0593b268c4e32fd7

SHA512
24a2aa3df61c8db9205827eb756cabd7286cf1016a7c4923a15d45b30709bc27cc2014452c9f04f2b32010d3199d0d036c7283e822d7bd91d4dbafb8e35af513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c44062cf96fd31a70ed8046f5a74d2e2

SHA1
8af48d0045aa89aa8dd584566b86edc04e14cc20

SHA256
1c32862fbfa78567dc5b057894e19bcabf906cb3288e51f147b2937d526569d2

SHA512
3cc9ae1e4d98175678a96643601edbb958930eae88025849c6553b4d58054472e0b17d6b8b45a27f0e873df3049a663e3af6e9491eb162bde1203853d9f16fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
42e3bd12667817f3d0d62706fcbc6d47

SHA1
6bff88b037f5b9d8062f468ca9f09ec75be8b2f7

SHA256
a2f0f905baa320b82fd815efccec49358b55dcaed6d490828c41db51f6d402f5

SHA512
7caf99def824cb2893979ceaf7466a9a58800da95f3fd61167b838263c9f847aab11ceb2673efad3e357e0e5b747093dc65016afb450f8499dd3be059bfadc9d

Download Submit
C:\Users\Admin\Downloads\Software.zip

Filesize
436KB

MD5
76729b9161b4d9793058c34d9eb5f3c2

SHA1
ab8f05cec0087d79621580c698c3d1cb39f4465a

SHA256
9f2275456aa10c7ec0c170d3517d19b92facd9170c1cfa775182918121a92f7e

SHA512
5d7080e78d1392d43ebad6b3bff1aaa91457edbaba86a856f5e1b783359347684da1200efdd7f9aefff5e2399f6c22b2b5c2aadcf469846f1fccddbf73c6765b

Download Submit
memory/2344-324-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-317-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-350-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-349-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-348-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-347-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-346-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-345-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-344-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-343-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-342-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-341-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-340-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-339-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-337-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-336-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-335-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-334-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-332-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-331-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-330-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-329-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-326-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-325-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-352-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-323-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-322-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-321-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-320-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-319-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-318-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-351-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-316-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-315-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-314-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-313-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-312-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-311-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-308-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-307-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-306-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-305-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-304-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-303-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-302-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-301-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-300-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-299-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-298-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-297-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-296-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-295-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-294-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-293-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-292-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-291-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-290-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-289-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-333-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-328-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-327-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-310-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-309-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download
memory/2344-338-0x000000007F900000-0x000000007F910000-memory.dmp

Filesize
64KB

Download