cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/CryptoLocker[.]exe

Analysis

max time kernel
49s
max time network
52s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/CryptoLocker.exe

Score

10^/10

cryptolocker discovery persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2036	CryptoLocker.exe
1052	{34184A33-0407-212E-3320-09040709E2C2}.exe
3764	{34184A33-0407-212E-3320-09040709E2C2}.exe
4568	CryptoLocker.exe
4976	CryptoLocker.exe
2376	CryptoLocker.exe
3364	CryptoLocker.exe
1284	CryptoLocker.exe
4780	CryptoLocker.exe
3104	CryptoLocker.exe
2800	CryptoLocker.exe
3748	CryptoLocker.exe
1664	CryptoLocker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\252c3c13-d242-43b1-86b3-f82796b351ed.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117155137.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4600	msedge.exe
4600	msedge.exe
1904	identity_helper.exe
1904	identity_helper.exe
4292	msedge.exe
4292	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3716	4600	msedge.exe	80
PID 4600 wrote to memory of 3716	4600	msedge.exe	80
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 756	4600	msedge.exe	81
PID 4600 wrote to memory of 4648	4600	msedge.exe	82
PID 4600 wrote to memory of 4648	4600	msedge.exe	82
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83
PID 4600 wrote to memory of 2444	4600	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/CryptoLocker.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffdaefc46f8,0x7ffdaefc4708,0x7ffdaefc4718
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6bb1f5460,0x7ff6bb1f5470,0x7ff6bb1f5480
    3⤵
    PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:2416
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1052
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4568
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,12992788158034428370,14579045582071890652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4724

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1284

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3104

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c6c51122c811a0f047374c84954de8db

SHA1
46b9923064d07adc31ab16fc5a6358b46a429329

SHA256
0e2b81c17f8dfc47696bfaabe2abbe02912406734e3e2db6848615ceeb88bef8

SHA512
d75eb7e979694b47f0fde49b3514e100677d2ee7c0fc5f880d2ed9eedb5c215e15a6410db913fb7d9b1c8d4caa9235a8587e0525e4e78c4ab5170b23f8dd4d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea1c2801aa63b0b7d559edd3adc7cfdc

SHA1
535995078ba0c227fe78a9bc340e848907e420e4

SHA256
d5daf639f0e5d8039eb65ce05767ae58bfa4b04a6a5b0b01b7a42bfcecc9756c

SHA512
877abc639d9913465eba3e82e2192a03d6e63ca341e0954c9b62b109d1f0547048423f4f0b6825c4a1846b7964f1bd14272663d7166df6a71446328f9241b06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc75efb4fd09a19305a111b597c6021a

SHA1
7a3e497440a4b5b8f3ea654e8f3fde7a0a1c14f2

SHA256
c7191d5b23e26fbac1530550c839fd64fd80d13d8e7b228f43d323243e4a5e91

SHA512
04355589eaeea6f0fa861c77034bf6083636a11d9dd3ab8f4352d51ebcfb8994af364801a96a59f2d7de759bfc14f76be32255dfbafed6a026ecf7072d61a1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d927adf34ccb0461fd609f3e4fcfdc60

SHA1
fd0937fda89297cd7684495721606076a6e56ec6

SHA256
0a709c2e01b356c7b74b75c64afeaf0f16b6b50d884356c9fdca4c8af18d6cc1

SHA512
4c5850eda92be2a8545de644a6a04e34ba580094abe360841c7bebf7486c2791a55b5fb3b3c24b5cee52e041f739f88b996f19078df3700b0a14082da48274ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92c5e0ce8e8f79fdb1bdb359e3ab0638

SHA1
e499df0ce871bc5bebcf83dacf778d194732d920

SHA256
62a0282af84eb9311852e5c3e18c4f024091a66acb72bf97680126a8dd2f235d

SHA512
8b1036691dce590693e7d4125c7c487020a346280fddbcece726e6cac36b33bed94b09112001d6ac8d355a9d91714d632a7c4c5e027e8afea05a54852cc9cf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
db0cc03b1657f5dda4b38846f4eb7157

SHA1
1deac63712a9f66b4a33ef65305ac5f0c678a34f

SHA256
2b79c7a18fb021ed166360ffa784c4fb44b5784d7bc8e6187dfaa80ca4c07761

SHA512
55dfbe0425daebd6fe6cf54019e690fd4dcd28917a91d1fa0db57bc120d84d2f11bf119d836b8f0cc2e5c1387fbeb911b1a08a452fc493c06850d80621f45f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fccad2652971ce1f105ce6354c7d5235

SHA1
47e2387537bb38fc7db14eb46607dbecc093796e

SHA256
c9f86fcf54928f7f4f85f83bc696505cb63d1300f7a1ffad4b97f3cd92784c40

SHA512
31a536c04ade93a676958046da98f24b439ac8541011be47d1514a6556788d052c1950cd37968c1a9bf57ce6e0b29db9ca3f2d22e28c8b6cb653527b0d74b3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
a3fdf541ba0f87395e2b4d943805ecb2

SHA1
5f79c9de135664fbd1b2488c8746433827f81025

SHA256
110a7066498294b395c517c663e468c1a5f7b43dae4ec93c319bd4b7259f7afc

SHA512
a1a8ecb7e27bb0ed53b129169a3478f8b7d1a8fb743a1334ae04fcb1868d36b7984218c435e2396e939c3316791d4d02252ea59eb76b19dac39be89327fd545c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1d4.TMP

Filesize
371B

MD5
fd186378ac07536b4528a0ac46ac07a4

SHA1
69349d3acd642b0872451ee3dfc1b4ea2d40cf8b

SHA256
451eb9229c005a32a9881a6c710c0576f6ad2600fd8bb62ab1a07368a926db4c

SHA512
e2964943db2032619586b7fc9008baafc5d3bf773033026ec8c53a9c60e0004f329b4f108c8d6dc1485c17073b0f09209047aeb155041ba36da5cf520c4f0e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
de4bf5ec6d5dc95f57aa71149d5bc5ca

SHA1
370e244753875e8937e5f4daac5a9d0ba12e1bc5

SHA256
9cf7f2bb63251374cd638f38971d9ccc23fa8372e093ef63609c2bb50627c8c5

SHA512
e5ba2cb3ae11c1be6c6badece96049051ad9a729e9fb5e444a4d940251748acaf858494e889fce8c6f5065a2e1cee5e3e3b74296f89bfc365bed5b2c0043e232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba198d134b65b2585db126158c81d55d

SHA1
5e6d409af20c3cd0bcd1df31cc9ebe68a60c8aff

SHA256
ce60341ec9b8f784a3ddbec7fcd82df884c1595ee2e4e8428c5614fff87dc6f3

SHA512
39adf423b427baf8d1d528f317605595394eb2913f71db49211f16fe8ecaeba03017b0f9b48be1876c5d4af1760f7e26fa6a599edcba64e856c83b15afc14261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0fbdbe1488f727d974e7f233ddc8a152

SHA1
0583d2114613e611f0e8c6a116ce20c6814350f1

SHA256
1da979e2a759f004286606f1de42bef3359a98afc3193af32c2bb47a450c6c3d

SHA512
5f1c652a9204c301445a19671f1bcc034f3ffcc5627d3b2d8eb75b403e574e54556ed1c463c64d63ce0aab9ecd450c579d1576b08795a5304fdc7c7cc8e53643

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7e68cfe0641cada87fd085f336f2c7da

SHA1
49fb07947078bc7a0cd1202a413dc21ed195e7b3

SHA256
05fe59dfc98d089707a3a0aba3d676279e1f5e1afa7b6294738b9862d445c0f6

SHA512
9a256202741fa3ccb54be0010d33cf193b124bd240c5669e809ea2e74f12f88137eca66df2b7a3f1cfa739515be9886adac5653ba523dd4d8cbfd16f6c9cd2c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1d40f5614a4e35aa9a38184c7b7db260

SHA1
7876d0c84fff4541da6c557fad235d3ed6e7d66b

SHA256
34f9e051dfbd4aeb1f05a1ef0624bfd45b07b59b1b5e11d6ef6759f356ec540d

SHA512
e9899dcbf27ce1b39217b40fe1055962c0e6197f72463338e660e52ebad94ac8f9906b833da34777ff233553fca0b1f5ac85692482e356a846999ffa644dc9a0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 323255.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit