locky | hxxps://github[.]com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Ransomware[.]Locky/Locky[.]exe

Analysis

max time kernel
107s
max time network
108s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-12-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Ransomware.Locky/Locky.exe

Score

10^/10

locky defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky family
locky
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
4580	Locky.exe
2820	Locky.exe
1712	Locky.exe
5140	Locky.exe
5344	Locky.exe
5828	Locky.exe
6004	svchost.exe
476	Locky.exe
4916	Locky.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e77cc8fd-d35d-461c-903f-b9578db91dab.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241228010447.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1900	msedge.exe
1900	msedge.exe
3004	msedge.exe
3004	msedge.exe
928	identity_helper.exe
928	identity_helper.exe
2820	msedge.exe
2820	msedge.exe
5792	msedge.exe
5792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2556	3004	msedge.exe	81
PID 3004 wrote to memory of 2556	3004	msedge.exe	81
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 4684	3004	msedge.exe	82
PID 3004 wrote to memory of 1900	3004	msedge.exe	83
PID 3004 wrote to memory of 1900	3004	msedge.exe	83
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84
PID 3004 wrote to memory of 2544	3004	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/orangegrouptech/Biohazards-from-orangegrouptech/raw/refs/heads/master/Ransomware/Ransomware.Locky/Locky.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffad26146f8,0x7ffad2614708,0x7ffad2614718
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:240
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff758f05460,0x7ff758f05470,0x7ff758f05480
    3⤵
    PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:2660
- C:\Users\Admin\Downloads\Locky.exe
  "C:\Users\Admin\Downloads\Locky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6004
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys291E.tmp"
    3⤵
    PID:6016
- C:\Users\Admin\Downloads\Locky.exe
  "C:\Users\Admin\Downloads\Locky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\Downloads\Locky.exe
  "C:\Users\Admin\Downloads\Locky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Users\Admin\Downloads\Locky.exe
  "C:\Users\Admin\Downloads\Locky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,5207357579028872736,18343773245008388838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Users\Admin\Downloads\Locky.exe
  "C:\Users\Admin\Downloads\Locky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:476
- C:\Users\Admin\Downloads\Locky.exe
  "C:\Users\Admin\Downloads\Locky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5264

C:\Users\Admin\Downloads\Locky.exe
"C:\Users\Admin\Downloads\Locky.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5344

C:\Users\Admin\Downloads\Locky.exe
"C:\Users\Admin\Downloads\Locky.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3b681f1b553061b1d406dca73509e1

SHA1
1d0902a780b041766c456dca466ed6dd88db979a

SHA256
45099d50c298e321f628997d58aff82c1f91aa302cb6a46f5c8a2819a53685d2

SHA512
b6e59b2da8bce61cdb2f0bdbe6dd0486c68bb583a1066cafb979314c4c1baeab4136d9d958e9e9ef3a36b1d7988ae8518080b8aff9748c102d05646aea914283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
165b9ab5b6100e149d42942970795741

SHA1
873ef2b7bb080cee1f9eb80920edb54a235fc326

SHA256
fd01e423cf1b8c61bbc4e1c63f3cd70a81586a9d03a88eebd6ec3a16a1910364

SHA512
5ba31ba647b158325e7282ff6dc83e683b62895a1e3ebd5445a1f121d6d5fdee4b39164514f7c442bf67dbefcc7965c3ee946333e77047ced40df144aebef9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad38b0bfe1a5fd7205df0e78460c63c7

SHA1
a75a83fbeee69d1fb5ef4ab1ed4968dde6f8c87a

SHA256
b68f6bae922dbbc275446267582ec23f40089bb2bfd4f5c8a293c068867861b6

SHA512
5984511183bc69a162bd449aad18625317b70f84f2de25229f35408f7be2c70e15df594e6a226989fe32012bff673589a9ea533f9efc987d1b8f0a2ebfb12c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7089a67e5d31b4fa7d4a21548cf10607

SHA1
be15a4280ddeb5bbf8ffd27b2b96303e8d734fd3

SHA256
afe9539fa47cd4df6c78cc7deff901f5476e73a6141c276ca87c85180307c54f

SHA512
15ce5e11d571af7eb576952bd93f198c4202172edb75585e8fb451f19cf9d14721b9bdcf8f4ef12ed8e80f3c9b90920eb20558c8e1df1c55be130cd8c7ebe464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ef0f056948996c39eedb80693d7f5c7

SHA1
0e39d1e4f010b161a8002f48298a90ebdc1270f3

SHA256
6ca1aaa62bc1ccbe62d2f1fa876c2aae64726031febf309f9712da76562b2a67

SHA512
841dbee508a75d337fb89893a94b69be34c6c6617cbe169bd7b76f4eb81113b4199562491be97eb0036c880a021b7969d91d8a9155b89b1819f65d3527a8936b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40bbdc80baa7efd5a246bfd4f4dcabf3

SHA1
61fd4186ae2f26aef2ee58561823350f42ab0db3

SHA256
ac2ac9d7422f109a8be291feb9e48c95a6bc6530dbfe0c614689bd9cc6595d69

SHA512
a8efc93edcc2a903ce2a4f33fab79ca0380d85c9c74f90ffa941386235041790b0a59ccdb9a356aa113808b43df510b94aafb2990015f1a80d8194a89449fcb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab678838d656348c156b18d6ab39532b

SHA1
c023a6e798f27d914ed75ad2ddc83ed631558355

SHA256
4c0391fe558a421f5bdb329291f8bfb5ae50541f79d2093abc9bde819e36bcdb

SHA512
e90cfa651209c392cdeb08373919bf72dbccdb48c46b19b25685bc87c98b51e0be04b79d31b7188794a5a6cfdc7a58f1a4c8a539993cc503ef931c9e898b56ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
524c0eba78201e8faad29c29d0a611ff

SHA1
b8d23f3f70313f9f0f8c1e293e70a3f8173adea9

SHA256
693ac11a04057152b30e8d26dc646186c3e54bbe397122b457374d92620fde52

SHA512
5481d83540551f9999d6dbbe94c7ac200b53bb81e5d9a5a94761274332a0b4e4aad05a9689fed5b9ad6fb2c1d06f91e2730eaa4f53950f8e14cef5cf2af452ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeec2e8fdb3d10926be7f7f005a6add4

SHA1
ef91d915a57451a526ffde4634f1152c6a751104

SHA256
3a35c99ef359936c246b01412cf6c3bd0a7b190fbfefa584d62cc27e6f6522b1

SHA512
c2044601211d75abf5bea962e73760289ec660326f7e8fce5a588a6a7672923682fa45a0876f197ec75c943d780bd06649d1810edb8331a293365dcc415cb4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e3eb3ac47843107aa504cb28d95a7de

SHA1
00b38d3ac54ceedbd80e098142bd2cc74f729199

SHA256
c590a0264dd75b9561158896243e92c81dfc45c2e5eb00a09eb8f552a6b0cd70

SHA512
326372aa1cccd070b4ed1b5533561c112961f62efb5ed0831d3571c73b85283aeb5b8fa671e2170b4002710dd9812c4b19ac301dd895b1038f0836d2c165a732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c60b591f0c48b695e319a09409d33aa2

SHA1
d6e9fc0f116db8991f9b597442ce27aaf88c32e3

SHA256
73271d58d6c97d13e801c9ec9b8e4197a2b8eab4691e3fb6f5bad1bf78daeba4

SHA512
29f4482317c5be97e8f2f76368c57a26c2eee4ae23c7e10d0400d83bf32d771f4251c54681264ec6f1281b2e1c44c39789d5ea6bc043940d0352da2f58bcc4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b570.TMP

Filesize
371B

MD5
fa61733408e39089ebc906ccd477a3b1

SHA1
e536fd3f665d616d0ce68f3abebe02df2c540838

SHA256
0122fafd3a0886d960dff519e4da2599da7c9abd1aa5e57008805c40d4c0e136

SHA512
e05b1d73483580b50cec6ee1d57efbfb4e09932e8750f0b13f16a7a57da5d33dfb37e2a308532582f47a68774a2ed2d83c4362607e30d959fd512ce3a86ce0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
866bcf8a8aea9bd8a183f17562fe1116

SHA1
9958a459adf28f753644b2cd473f361a92969445

SHA256
3b83f0bf60f8c4524f5b2de7cdc3e5c3109a167e49e8c781e58a5c3d97a08c9a

SHA512
ce0197766a289a132473a53f63cda6104176f05bd2f891ea6697f566261c7b75a0ec462490bc95349b11bafd4426d45c9110c944ba244bc4b6d9cb466f9edd26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6d8c9fb6278ac1c319bf6f2caf449240

SHA1
ebb1daa09ff0f2d61ba3f88faa3e8833f45dceca

SHA256
eb327acce91b790b4bf1e923db122ab5c7208d72aabda55a0955f363d44184f9

SHA512
70b8afd2c0d46c72c0cf6fec2f2aa67e29e968644240ef83567c98200d36a7b4de74bbfd1c005d095c02fa358fff3f3f80b5dfe064cd034f2284e7e2662dac0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c4cae7a4739f82f84378715e8ea4e1b

SHA1
502b5402e4598bfcd749e189855b9a5d038cc649

SHA256
8c85ba081ca1729c6609314aefba7b8eeedb5c69cc408d80b9b73f636b3e0b3c

SHA512
f2b8965f7813545d018f3a74ee912936a7c9c683db2cf43b19fff461bf6cd91f17b576459b96aa22fdfc157dff7b4d6951cf2ff4c952dfe04204d157d56f70f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f23bb7bc25b74de6961f217d1c9d4e1d

SHA1
5074468ecd83719273cc4b38255d6d94bfe39eae

SHA256
b45d942f6afc8dbe50ad841a50db118c7e4a4ce54da9517be0db4d603cae95df

SHA512
2bf6feeff6724771ad753c78b9f7accf558b583c2a063398858a43cd6c5a9d630c9fe4b7ee1e76d46d4f0c396d0bdc90c058725b089f8c4f11de78a16698f174

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
68bc535bc2e95fc07614e627dd05292b

SHA1
ddbe05ef94501c9d582e0fb162bf731cda542a46

SHA256
c50499e972bd0cd44c64ee918cfa49f659ebf043ca9b758679132a9a48d8f430

SHA512
a66f98481bd6ac114d470eb871021a5592abc5edaa961a30df7a787c2a44787595a971d62b414981fe48a04f9eb32c51f706ee5d589e0ede6f41a2872a5747a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4518fc205e0db69cb796e8aa3bd4d897

SHA1
da11530b4a621f5de82bd66e3a57ef70e1e373b1

SHA256
712f462933863bcbcaac5affb03d80ceca8685d14d98e5e9eb075532c50d9d1e

SHA512
c2225e0f4c472b2e1e30f0e19afda4865826b52dd355a81f57c19dec4ab85c3196b7c7153ad00b68a2c055985431bb586d592bfc3c99424d2ce23d881880f952

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 754255.crdownload

Filesize
180KB

MD5
b06d9dd17c69ed2ae75d9e40b2631b42

SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4

SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

Download Submit
memory/1712-542-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1712-283-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1712-261-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1712-399-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1712-333-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-318-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-392-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-278-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-537-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4580-258-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4580-254-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5140-284-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5140-400-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5140-334-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5140-262-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5344-393-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5344-297-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5344-538-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5828-499-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5828-320-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/5828-260-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/6004-395-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/6004-541-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download