cryptolocker | 73fdb5cbf654176f8e733b164a8870ddce42f76f8a6827756ce5764510cc95bd

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27-02-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

watch.html
Size

881KB
MD5

bdbf42e182d9df0212f956f4580ae73d
SHA1

f389280d7626714f95488112e8eb4cd2f5e37308
SHA256

73fdb5cbf654176f8e733b164a8870ddce42f76f8a6827756ce5764510cc95bd
SHA512

ca65cd4d97c26e2bf389bf263fdcfe3cee1186b7ed239b5778d235a7d3a7e51991665711c4d9743160f4af51ee669db4c0f2c04934ee0645afd72f2bb31bd30e
SSDEEP

12288:huspsJsUsls+sas/sysQm23Sc8oLqKqgV0fGB7sfdQ:ham23F8oAGZ

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1812	{34184A33-0407-212E-3320-09040709E2C2}.exe
1680	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
61	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{86E7544F-BA0D-4395-AD17-9A772194B152}	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 750300.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
4700	msedge.exe
4700	msedge.exe
3124	msedge.exe
3124	msedge.exe
3196	identity_helper.exe
3196	identity_helper.exe
1620	msedge.exe
1620	msedge.exe
2344	msedge.exe
2344	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe
4700	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1104	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2944	4700	msedge.exe	77
PID 4700 wrote to memory of 2944	4700	msedge.exe	77
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 4992	4700	msedge.exe	79
PID 4700 wrote to memory of 3540	4700	msedge.exe	78
PID 4700 wrote to memory of 3540	4700	msedge.exe	78
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80
PID 4700 wrote to memory of 3980	4700	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\watch.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd7143cb8,0x7ffdd7143cc8,0x7ffdd7143cd8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5704 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,17956795264274872924,13239053735712641821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Users\Admin\Desktop\CryptoLocker.exe
"C:\Users\Admin\Desktop\CryptoLocker.exe"
1⤵
- NTFS ADS
PID:3016
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Desktop\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1812
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000023C
    3⤵
    - Executes dropped EXE
    PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2cf75638b450a0179b2859478f192b32

SHA1
608232d4b8e62e02316b5f4737f19895670984e8

SHA256
44c2196498cc2a8e8be1f381ff54e076fa0d3eb7777cf8cabf30f72d6b56bfa4

SHA512
2a5b084524d5ab3b50e9f5bf8c6d2d1350153f6bbedb51a0a3138b74ef4b1687adef562d2e16ea8e93e68b33fd043c862e7cca871195ee46103028d2d9bf1dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9bbe27dfa5678afce004fba27f8ed6f2

SHA1
e8a7965bd3f517bc5afeca917172e38ba349f5dd

SHA256
465bc3fba5bb63ef7e405518b4ce9c55f26a845c46a1823c75d3d31cd70d3b57

SHA512
326e210bbef8a2f786dd211a8f3a0a650fc242b3de5533a8d3d1cb1b52dac67451dd1c62924d5617c1a90c15ca75050ed5c1c81f9c7319e0f9aaeb1d13a0be5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8bb78946fcb3f48bd245fe9de0e9d19f

SHA1
1fe6704410cffac4c8de4a796f371df077f4e3ce

SHA256
54c0347c4e327636d5aafc35c2ddb3398363db0be61477856ce1055827af61ed

SHA512
f9a16019fb9be58695afbf440c20b86ac2f39a379da292e88dd8b8a99eb245e27a645f49cad14476434e9032776c0b9f38011e65ca209d36d1d25ea7fbcb004e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9bc27a134643dad67130b895686c094b

SHA1
5ffc1c8da3c4c91a4bbe948598681e7cfc437ab0

SHA256
415e214054a446b70e00fd31225d1acbdf9b6fc9fbb6965a1a6d5fdf30b94747

SHA512
ff8d0a553c41597bf97fc5aee853ca146149150882859c37430e90998cde1daaab1c2da623618e0addef4ce97eb6a37dc178fd3ffc1f3822cf81a806955be4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c435b9d57ae2af9e1c4ff2f207ae247

SHA1
701f396f05120db61645c313848fc8fb04f62307

SHA256
3f874e753de5bef4153f12798adf1e090848cc57b4171c1d8e30cba0d9d7a37c

SHA512
5a13809de2a7ba4521a666e6b45fe959952b9505a4d229f87a654fa9968e37646735a341884c446c09be49e282cda98c500dbcc4d85b5bb1855d54a3ca7b800b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a111019eff1603214c8c867450aa57be

SHA1
9da0df5a8088b85ffb9c88038db5ccf337b95b0d

SHA256
26d07fc35078ceea354932f461292dde6a4f9c0ad977899b87b86d7019f479e2

SHA512
615f21a46cfce4ec897d04fab2f43aff77fa5359f60c6e5b8dcee2b7367a57662fe1b461c2147bc14a965b65ff4d35a6868dbf170aa341c85ba694a2805f414a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3e4c28a904ddd1ccb82d7cda5278c5e9

SHA1
68b988b45a95e3892ecf99685dfef8902d62a1e3

SHA256
43b1b5d3f774b252beeabda97327f606d0a6e27f0ef157581b5e2371e616155a

SHA512
aa5c4e8ddd30e338b4780bf4bd635e350888d936e38e1e68a9f20118e141a2a73a7e3229a2b569a48e70c7f48b0fcee57949e16c107b3fa6956eedeb4b97910f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d6e3f3ff9b66a1f037f9c562348de48

SHA1
85f1738e0fbcd274b57fbbf4b774be2e67a04288

SHA256
7854a9b09ec7a44ed6502de50eeae5be1df4d0cd441c031b7032ec1fe48bb630

SHA512
8e69ce69001faaf0bf7169b34bc7768057efaf7f17d9607b6b7f568571b39fa5f590cd105ed3f0a380c7288f903525e6dfd1d0db0936cad2189f837bef565283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff8958702a6337b4dff9aebb0a39656a

SHA1
0e8b84535b6cf792cfc9f09054cf26feac12a7bb

SHA256
dc2cfc36420e596d624dca233ead6c24d08c2fe3939968d3431b0f4db3876aa3

SHA512
10455b18bfae9aec92f5ca0772d61c3e1c27314c3b385ff5f31019c5c3394ba6b46abddc6f305717cddf5c5b89b73b52d22f7c5dc7ee4a1247e566b21dccc90f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
971e56d8b5ecdcfe3a154a5c972a16fc

SHA1
53a91986e2e7b59ba402b313bbe55053c4013600

SHA256
2004d15e3cc964f54101c9c538aa95dae7db0578c45cb67c5976f40823cedd67

SHA512
d77bb8388c0fb275bc9ef2e06e43561762cb7b669e97ba321605e69045dcd370552958fce0f99c371d8168b4fb16b269d3026cbf6051606c06d74da0277eddaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
22e7e63ba9bfa5b342f6fc0d9aeb6a6c

SHA1
605d8196e2ac039e0d95932b71ae0603632e0c64

SHA256
f6489881751166a7598dd71d24fab6dd914d85fe34048bbb524c6eb334abbaae

SHA512
db0218bebbf42135a01dc3bc2cbe1559bc098ccf429ac8bb0fa053f9b4e0c897d942d6af03cdad5d7c4d836e7828b80162d90a9a89891e7f785947f030706c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
73B

MD5
f134f3a215fe96bcf4dd45ff264f75d3

SHA1
f75e9691eef80d71bf0e25854e1611e653f8869d

SHA256
25c763522498d328bf1b707723f85a9c49670bf68df4e139f8e2fc071aa7aec7

SHA512
0147efb5871f48f27d656c2c9efc0a4afb2ec62ab9a2da867812b3ce989de3a2b55d131dfcec4b623fe2f36d4878fc94fa553987a7e98a1f9d9f33cd6bc93b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
130B

MD5
a0a881e5c65bc69a28e500fa4341c007

SHA1
32125866d93e52f4bf0fc825c5fb321d8f0c1222

SHA256
b410e3ab238b18679a871c652adb5feba9b9204130412ec8e68cce829743ea92

SHA512
b4e0d57caac6eeb72b3cf411cf1ff09d2f640e26a1cd2c5c179907eef30e663a1a0ce85e8ac30e04490dde463bee502cbfe382d5234c7b9637603ed9281a4fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
66B

MD5
267c56ffbd81ff46d53feed961318c07

SHA1
024aaff3e23b3f78654a99c4732a592269443842

SHA256
f845f71b606ab1f9c5383e04c23509c39afffc921e9567b43525337f21a33af9

SHA512
d3ef07e18fc840af5760f9a950c24f6112e1199607668671c254160c8a467cade23893bd054a487e2a6de7b98f9e12ef90bd893212d0d8d2bdeea95fee0006bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
62a1a19fe7c241523e1bd02432cf5147

SHA1
f14fc29cb287f2173717bde96c77f08448b8e9ed

SHA256
18704745b1dd6181192f1d1475c4f0bd590a09c6780db7610be0133284fd6191

SHA512
9a12b26c4521d6df3e1f38198178778b23a9d15ce5a71e413ee21bc70a3e6f41701b9106bd9aa7abc81a8611a770550d7b2f658401eeeec37d34fdf138793801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e984ad075535d3e3bd6a9a231feb00e8

SHA1
b06aa7a262499d5b9f8b58377e685898977debb2

SHA256
790a226739b91d955857dd978937c00b9b3f4382ee6553639eac5edfb8f9e1f1

SHA512
770c004d3447473ca4e6c990ee49719740a5b9fb7420da23826c7fee95e112eedf85d8f0aba40dcaf4a90c5374f4ef9d28680782585a3879da0c8992c75c4102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b4bedbe7e9f39e9a25ef4cff3dd7c01

SHA1
527160aedaf51f91d7bd2e1b7ddf45f5824e6126

SHA256
456b67b5c8ad17f8c05a46e82b0aa73a0d13e404497fb48b5f1c8755d590d6d5

SHA512
4876ef718fd7fe57052252bf59d72c92c8b24819c3dd66e51a71fdedf0ac7fd02419f2b48938919d6269d64decd434ea572b8348e6468aed4759d024b47df190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7463bd36569609ecbefa18f15d349bf2

SHA1
789974826d67e727df577aeeca7dd33eab77fd48

SHA256
9b3968d98043bd5eb8e022e2b426a3c6a938618d7d050226ed16a634b0545c49

SHA512
c5335e8505effb5f924443727df59a25af43b9d89bf111b3327ff96b3e3f7ba279dc081a2a84185ce952666a9409d3a3b3a052941e7095da79e351033bd73e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58439c.TMP

Filesize
203B

MD5
d711848804e91a30f43e4624dbecf10f

SHA1
f817ef394000e0cda3f4a0b5d71daa03be15a562

SHA256
71d8bda6fb54238ee5cff21a1713d4d53172fe2e13db9185e46e12ff5b816990

SHA512
40b93cc5665f98a78e2719dfe010ca609a8677a16395275a3f3ae52696ef2b9994caaf0c16e30ef391535fffdba4f50e31a37ce244b6b2f8954e4b2eab9a73e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34c94fe618982ed68ba662c9624feba6

SHA1
9bda84a19d9e54ff158630c07d07adc301b7afc6

SHA256
d25db4f819ebd394a250a4dd94153bc181e72f48a3f0f64d1d96c7b9cf9ac9af

SHA512
90655e6026bfdfa53fa46111c0ce226a29a1fc7d142c2bce73dcfce9195c0cb48874ff39fda49bf027ca0c6ddc55374fd3c0e4cac67ca49a592dd71ae6ba1ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5d27c6b926b1f416728244bbc58eef23

SHA1
5de4b4f1040b7d061fbfd9ec29bea9b185fd77aa

SHA256
3bc7ff4f520029abe808c4946336b3f1290ed47fe830c58ee6eb7bcb6c24d701

SHA512
29b60695b7243ebb3125e6392b0014a7cab560b6dfd4b76dcec93f21ddc796dfdc1e4bd9630beecf099f1668055a13e8199b6188fec3d51ccc2d77671e445053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1e992da9d6f14dbd947696e01898ab3e

SHA1
2a2e9c61ace1ff137435bbe087314a4d6618cd2e

SHA256
357ff58c4ddb0e14b1aefc34a1ba9439374cbb0713dbe0fd78ccdb6861719689

SHA512
923b10eaa63d4b3c7a2b338e2c4ce1b207b26f683d8f7f76ecc26537a05d6f37ae135a5bc48993db3eeaf32459b3c1f2f3e68916457b9bd83370243b6f2d88a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77375d17a8241aa06af550428e413cee

SHA1
ec13b23081e0a9cd92ae4d944deea5f5e0f036e6

SHA256
45d3a9dec1354dbdaa71102c669564b4ed52f1981fd657550f6c1babc20982eb

SHA512
64ba1637e51aa95f61c25c46fe20e597bbcae509cb0f1cd71bf26aa1841b2bb4e06e2941a25cf94addeff2f097d84feeb7fbfbb05729f3cc921dd076e95da56c

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 750300.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit