cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker[.]exe

Analysis

max time kernel
201s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker.exe

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Downloads MZ/PE file

Executes dropped EXE 22 IoCs

pid	Process
4464	CryptoLocker (1).exe
3388	{34184A33-0407-212E-3320-09040709E2C2}.exe
724	{34184A33-0407-212E-3320-09040709E2C2}.exe
4380	CryptoLocker.exe
1028	CryptoLocker.exe
4132	CryptoLocker.exe
916	CryptoLocker.exe
1440	CryptoLocker.exe
3596	CryptoLocker.exe
4524	CryptoLocker.exe
444	CryptoLocker.exe
3636	CryptoLocker.exe
3408	CryptoLocker.exe
1192	CryptoLocker.exe
2256	CryptoLocker.exe
4088	CryptoLocker.exe
908	CryptoLocker.exe
2808	CryptoLocker.exe
4772	CryptoLocker.exe
5004	CryptoLocker.exe
1400	CryptoLocker.exe
2644	CryptoLocker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 835933.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 799163.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker (1).exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
2364	msedge.exe
2364	msedge.exe
3840	identity_helper.exe
3840	identity_helper.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
2356	msedge.exe
2356	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2384	2364	msedge.exe	73
PID 2364 wrote to memory of 2384	2364	msedge.exe	73
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 3404	2364	msedge.exe	88
PID 2364 wrote to memory of 4740	2364	msedge.exe	87
PID 2364 wrote to memory of 4740	2364	msedge.exe	87
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89
PID 2364 wrote to memory of 3600	2364	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CryptoLocker.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc624346f8,0x7ffc62434708,0x7ffc62434718
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4660 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Users\Admin\Downloads\CryptoLocker (1).exe
  "C:\Users\Admin\Downloads\CryptoLocker (1).exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:4464
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker (1).exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3388
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17267896915869000896,911905013058428659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:2580
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
acb0de64e89e7f4221a948487d03b46c

SHA1
07267983907ac608ba68aed1f92f1ac016a9db3b

SHA256
016e83fd24a2c77ada3bcf794db34c6520c6bf1b422f780be2340282a6cec584

SHA512
eecf43d65cccdba07557f8bdbdf8999f05fdfe52bd03124b922f2778b26d9f67797e8441823147f85d3469e66eddb8d89b4be65b6a7e57a8fbecee3b614b3723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
fddd93df7328323d7a5172b2e3179185

SHA1
0a62f42d81ff1353a8586f17557e1a5a28492bb8

SHA256
04c9b17749081536f0f76202a9703f9412c5011c8b2164f410f0290ab3e91c75

SHA512
60178f5a101e6826b6d87b06221860d0347b249decede902b664ae059eae22f0e047bcb7b21b3d7b1b095b34d8a1763f923c96138ed8481e16e96ed0c6d879b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d88e36124ce4853b955b80954738f9a8

SHA1
7666577d125d82fb73156b939f5b3f7fd59f60a9

SHA256
9464aa2047a97fed3088579e141bfe970cddda871cb2a3f89e75771617a866d4

SHA512
b9e33ae074f53ff9c15ca717bfb0f9165f155ea457887bd3eae6d6a033aec5a297bb9de4879838355a8bef6479475ee525e20f6d4c8b5a4d6d89287029cddf88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
762d227eabcd5c91ffe48b02a824c7bf

SHA1
3f928d143d70df271233e5770640b2ca345b4b5c

SHA256
5eae8601b6369da2ba82e48db75dcd3a16c421a55f1d4d148b9f2df319e8b426

SHA512
4b3caf8c2160a2321c6dd5b28dcb1afd94868679cfdd6c0eeb9aabcc3234bbd638f7428ea5ad53363c200bb5addcc4954192d184456aaf1792d7cff6d9dc48b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fabdd45e817507d2949412ee7e83ce5

SHA1
52de559eafc74bc70e35fad82ef05decd40f405f

SHA256
3d1c50fac7cd638cb8fccf17b62264fcd6857eaf68180b7b64884c6edfb72253

SHA512
43184a9830d11d7ed8f1fd4b7519ce868173a6d6a59b638683237ea3718ffcfebe19a41cda5d2973f4f0ee85d9d4a1cf084348f826df8db4079a0dc14ffae55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62875efe7a1174d15ec32190813f02af

SHA1
5e56db40fb2baf3c09745fe31fde7ab9c2f22ec2

SHA256
10c1c48120d77b2c0b805ab95538397435b1baa1f729448b087c8734c31398fb

SHA512
702de3aafda651c1d88203d8e232ec4c74d54ff5e8a4a61c6aba514c09354eb61f05a7c706eafd03c09e817679f94cc13d0406c08844e690c9522f709d043f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9fd0597b5bd332c200761981cb0b636a

SHA1
baec8074d6b492312acdc60699c13efd764f1a37

SHA256
bc2f09859826c38b2c8f6da298ec2e440c659bbf3693f98d96985cf46cf7465a

SHA512
8b147de66b5f63500f4e6f4c0672eebd0d592131ca2310804fb8b8d654c5cb7ce9e63a58fc80c6b213302609640ec07db833a8b14541bdf9ccda1a13f7f2ee8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1ea8a5fb81a566c7c8c55454ef04dc8d

SHA1
29cbbe465886483e83ee842ba17c50ec8789a5ed

SHA256
c2c5a0232c8ba3639d4d55422cf21b24f15878d48f6cdbe91d818213151776bb

SHA512
e4889a99ea6e93a8933a2816a6e3905d6a0b3f05c464e0843987153ace2964cb55120e00f4bd8db531b952c7238e15c1a0dcdccd3b74b1a582582656c02eaa99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
baf681609f9d8b2ffe9914262723d758

SHA1
2fb1b5d15d7b11c28451c07cf3aac55a01b348db

SHA256
30df34eaeae4bba5303fad0a2b66f237905c5820be871ed8054c36ff50a3d508

SHA512
c1636bd8badce83edd6566cf595c699b5ab81bdc7485e70beb8be169650219b32898c22750f6eb9821f75eb66c7d776531366554ecda47678b1c0c76a14d2c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e68e.TMP

Filesize
874B

MD5
4f3816e85ffde6a2390e87d76f0d7eaa

SHA1
14d99e7eef4be9f876e67bf1c70a9daffb0c7774

SHA256
dfe32f4873067b5c3a17e02c05f2de2b8253d22eecb7654e654d62bb70155ae4

SHA512
f834fb7dd418c9b0fb955906b032b301aa6645edb562fff42e5a5197e560b1c0bfaf361c167b12411a336f384d17e2146675338bfeb888075430073f81ad1e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cdbc8352c4792101ada2076d3c9f0484

SHA1
ac082f2cf90ab0bb8ed1cb49fafa26cb9f07ee61

SHA256
3dcd2ff90bdd089bd8f5db6d297edd8657d4449e468f4a882b9b0995ac99de73

SHA512
83f0a38a8e3049e88c3eacdb33ddaaf5f54aa808d3b1bcaae245539168d9839930d520239bb42c3cdd52b73d95c5cfc201dbeb1dbe3462a142065b06af242c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7ff55a383441da7b02ce93227ea25c9c

SHA1
bba94bb0afbef2f7ff5e00d924a0e40c5dc3d03a

SHA256
a9dc2e68285e20d9caf0772e97238d82351ec10a6cf6743bf9c79bf6db4b0580

SHA512
94610c5cb99893277cb4881f4bf56f931c1c324b040856e4772f86418f4e0f4aa8c3fad1f622d2dc9464cd3448fea75c70a7854a921cf1c05592bf95b8363ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a5d8d400565bb09083f28c638234202c

SHA1
b1b3c01c8987177edd99295b38148bed0e342727

SHA256
3c8762b7254f74843f532994d07b6b019ec9d211b31a70ce1fb6d9bcd1ff580d

SHA512
9ed7ea2db870f2b4b24f25547ad28cce6487049fcb0f8835d5c13dc73335d424f811491723b19dfb8ff49e31f37e9b6f5d25273b558303ebec34d6da9574d965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aec42bb865fef5e60c892f878bfdf58e

SHA1
f7ab834c068d730da4d6649b4ed10b0da7168088

SHA256
58f7cf68857abafc576ac3508fead117a7e9ad57af23c5c477caf2c679179c29

SHA512
4262666e503702b7523297be562633b53a065c848038542d142b24349a093ac677b581b59a769419471b7d61ad8f43730e5c42b8bb3e66639bb16fc4bc32ccf0

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe

Filesize
262KB

MD5
55a14754d5565b16417d89e91c6b695a

SHA1
d0462f24ae4d22cc2d28845d472f72a9af283d85

SHA256
83db59676bc1f641b20ea11dd4c9baebc4daa3ba26ff22093584546edf0e11d6

SHA512
77b4bb60d6bdedf4f9b5ee26ec74ae04ab5bb74c857907218e675897abb809c6fd4321f7b87ab3270ecab5ce4d474ce6435e156334a774d3e9ab98ca02595d2e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 835933.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit