cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Analysis

max time kernel
62s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Score

10^/10

cryptolocker discovery persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1620	CryptoLocker.exe
4448	{34184A33-0407-212E-3320-09040709E2C2}.exe
3188	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
66	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 606447.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4412	WINWORD.EXE
4412	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
1356	msedge.exe
1356	msedge.exe
2920	identity_helper.exe
2920	identity_helper.exe
4528	msedge.exe
4528	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4412	WINWORD.EXE
4412	WINWORD.EXE
4412	WINWORD.EXE
4412	WINWORD.EXE
4412	WINWORD.EXE
4412	WINWORD.EXE
4412	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1616	1356	msedge.exe	83
PID 1356 wrote to memory of 1616	1356	msedge.exe	83
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 4284	1356	msedge.exe	84
PID 1356 wrote to memory of 5080	1356	msedge.exe	85
PID 1356 wrote to memory of 5080	1356	msedge.exe	85
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86
PID 1356 wrote to memory of 2008	1356	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae86e46f8,0x7ffae86e4708,0x7ffae86e4718
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,560111769027482577,12772553767157512470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3188

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1620
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3188

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\SkipOpen.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
974ef23a6eb277fc2f0b3f8eb0116481

SHA1
1404d871c6a8abf19b810f4a78fe96b7ceeb8238

SHA256
9a76897f4ecd3620eeeb10c09fe73b99329df352638e46ba234d5008759e2e81

SHA512
db66f25d3df66f7ab96a18b4508769009f7510812cbc745f0183bddd75013669bb25dfb0ccdfbdd31312048235da6df6b16e2ccd1923084aabdf14fc3f4950eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
055908ab80ed17cc0827a2d5fd92900f

SHA1
453fed25cf8209529c52822c36382429e98843a5

SHA256
f14eccb92ab8e91533df05d5db5e96ff2ccc6d536e7e033822a320ae1f92d00d

SHA512
47d7b2803fd0b7a13d48e5eca769ba4b53134652aa84936bb1d3f9c20870457ffc1cab200c9f19bd8b97b03a08a3b3a5a719226ebcb3f8b7ad4c17f13d5838c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f5fe60c30921037e424b9a45b009e09

SHA1
78fe9bf29170aba2d598dd5fb40efe37176cfcbd

SHA256
b67853b729286701b22e2f1a71ead49a9be6ea214c22fd98a5d2cf5cf9f28d6e

SHA512
9d61ce1a46c28c4bfdfff61f86823b64c76fb5fd1a75da6bf6543816d85274eadb921c31dfbe389b1baf9c14fe4434871465ec9cc8a2639d7825f8f393631bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45e647e90b6ff18fabed709a4e401bf8

SHA1
448d26405dca1b4f44f90103d842a5f341c59218

SHA256
4b8698d0f30e194d53bb9d33e007d8ae79d0baff2dd94f1b4bd253f45990c396

SHA512
ac4933560d09c8357c545e547062d1681c663591d8439752e61abfdb585fd30f00bb7e2559063714879c232c002d37e54e86033db7d46ea261d9b0ac76e078dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ad3a321b38746afdd742c94fd712979

SHA1
d3c57ab7c736432b5cde16c5661b93e84236837a

SHA256
8921821f302fb4a2d80474616995a4ec78da6f078d59ddc5f2a47b5c27d9a16f

SHA512
b73df89aa9f8de66958e71a1cde983d30d876f96e7ed66d31f3b10e27bffabf280eae98d742b19beb20610057b23195a2bc6cc823cadb469b26cf34a09fa19c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e12951291a30d28b5215181179877baa

SHA1
c86b516f6453afd30c0f7f3e62d5ad2b948ac6f5

SHA256
3935bb436ac7d29117ace639cccaa4948bc35afd6bd4b0c8496f8daf93985781

SHA512
a36a36eb60d9e7920724ba81360a789bbb048704b089d6296b59f02a5597cea578ea79cc8b9f4bc31deb40772eb5c7719194598f5e27c6664e4232480b7406c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f533001b55e2dac6b049fe69cab63c31

SHA1
941d1c73227fcfbff865b064d12cb1206d1f5b71

SHA256
27ca5add8dcf051a72a0ed8e2bd757f7498c5d17c13aad62d3a2215bd277fd37

SHA512
dac3e081b28e0e371dfd7f13b0403ea36a8ed3d7bb84dad6aa486a4f63e91fd63e78e23e9f62464ccf53035bb9300892c78840cde2ed4bb6fa046f5d489924a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580616.TMP

Filesize
874B

MD5
48db25d454773a2ee0fd4c22b12ffd43

SHA1
d65f47089c5bef4476f15f00d55b5caeebeb9965

SHA256
346b7f13482b485ceb579c04a30b48ae88b3ecbcdf735d87b2eeb910d9863cb7

SHA512
5bb4bb694fbcf09ca70cfc252eafe20cdd4e7ebb69380e0b5e29878a60723abcf04ec90e9f0362dcf1ed43bf26a2b33245247f54135bd9a3ea707f5902bb2b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
59e957c40cfc2c8876bf3491af0f2caa

SHA1
585ed6a7f20a24344227fd9814882d64d3191ab8

SHA256
7153d4ef7ea642476edd023cb0ab128f1e5006fce0f3f6500a29eed13d3ceaf1

SHA512
7016df61fb74c30a859c1bf3d2734bc3937cc7df45a3590e9c9e30671561f1c85ccfd7b7fada91edfc5976b56c4de8e9f8383feeb618b638fa98a487ac7a269e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07d16e836ee3d2ab9811cf5f1c3d7618

SHA1
40378306f7040153067a744b09daaecdc06edd13

SHA256
f93d0d039c732cda2c8ec07e78c0f597d7e0593ae115bbfb4255f9fc5a9040aa

SHA512
ab2385c2913f153de6236af689f209b8d49f4422396022a08255f77ddf2be007848f3991bcae3829f407533218da0206655ae6a7eecca1dabb7f064e43dd13ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
10099a5f4f8052fbfb0fa8fbe633d68b

SHA1
c521eb784d85dd8c11962716e8ad71295190ce25

SHA256
5bc3e54e58a331e6875610752c9796544239a747c6e4bbfbf72f9df224619a3b

SHA512
eacc59f1f19269661e06981d48f4ff2dec12eaecafcb8e2b6ec73297ec35108fc84667fa7bda340c7934933b177dcb9aa6ee69e86ccc7a6d96f825d4419c0a25

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 606447.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
memory/4412-427-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

Filesize
64KB

Download
memory/4412-426-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

Filesize
64KB

Download
memory/4412-425-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

Filesize
64KB

Download
memory/4412-424-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

Filesize
64KB

Download
memory/4412-428-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

Filesize
64KB

Download
memory/4412-429-0x00007FFAB4B30000-0x00007FFAB4B40000-memory.dmp

Filesize
64KB

Download
memory/4412-430-0x00007FFAB4B30000-0x00007FFAB4B40000-memory.dmp

Filesize
64KB

Download