wannacry | hxxps://bazaar[.]abuse[.]ch/download/b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839/

Analysis

max time kernel
142s
max time network
142s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/04/2023, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839/

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 6 IoCs

pid	Process
4812	mssecsvr.exe
2308	tasksche.exe
1676	mssecsvc.exe
2364	tasksche.exe
4396	mssecsvc.exe
3188	tasksche.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240667187	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File opened for modification	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133258183943806348"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
168	chrome.exe
168	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
3880	7zG.exe
4848	7zG.exe
2308	tasksche.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2488	2460	chrome.exe	66
PID 2460 wrote to memory of 2488	2460	chrome.exe	66
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4080	2460	chrome.exe	69
PID 2460 wrote to memory of 4584	2460	chrome.exe	68
PID 2460 wrote to memory of 4584	2460	chrome.exe	68
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70
PID 2460 wrote to memory of 2228	2460	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bazaar.abuse.ch/download/b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa03d49758,0x7ffa03d49768,0x7ffa03d49778
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:2
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3652 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2492 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1988 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3752 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5724 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4520 --field-trial-handle=1800,i,8468566165270776760,5592759447944438446,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\" -ad -an -ai#7zMap26614:190:7zEvent8963
1⤵
- Suspicious use of FindShellTrayWindow
PID:3880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\" -ad -an -ai#7zMap29195:318:7zEvent11316
1⤵
- Suspicious use of FindShellTrayWindow
PID:4848

C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvr.exe
"C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvr.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4812
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  PID:2308

C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe
"C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1676
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2364

C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe
"C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4396
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
162KB

MD5
fdfdaf63d56b4a9cd6641d79f7159fdc

SHA1
18b413d8b6b9f3bec32026b7e9d9f4e5e366922f

SHA256
f4dba3e15f08cf0686e6d89370ed42e8a5dafc38973501f0aa6baa9b93c720f3

SHA512
06fd67f1a2d5f168c75b5b833d3222d6c0eccfadd4021173a7ec7f949971554d1c7df322b1dc512ef14941e76a9ff6445ba3bd16d940be5bc177be989ec39c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
7af7debd1fb64ced45ee80f06cbe0a28

SHA1
bbe2f12e73b2de8f50645eb6bc658093ebe6b980

SHA256
7dbe060f55cc849a3c2beb67a77e40b773ea3462b06ffaaa4542040881634a84

SHA512
91ff990213e1bffb59fcbb7fdac0994b421cccd437f0b220871f3ae723a0aeecfdf028f83a1b0ae62775a3178c0b2b89b517b783036d6da213b1c8769f23432a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
8bde08cc7d51402dc1feec9e5d137c75

SHA1
4d0292e563214fb5962c8de1339b202ac4e3f408

SHA256
d318ca83b2b9e08df1f0d9ca5aff33643f4cacaf05a5dece9f8846d9043f6ceb

SHA512
ad30dde381aecccb03ef5d413afc0dca041249d20bc3f026256975fccde516ea8b0266fbe92a2d1a9b998d7552848fa53476cbca73dbea2b5449c5276cc99eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e1b4c4696bc8da0ca0c13ce73269a092

SHA1
0365c96554868e968a673b2d1652ae2b0aade730

SHA256
79f943540abe2421ca488142e4f0eb74762791255416fac0cb7159e6b835b2d0

SHA512
2127c00ff1644a0a7e26734a59c4d93b7deae6ea04ff76e95015548ab014905b75f6590abca924613cc37cef6d0c31094e6f4a177a18303434642751eddfa68c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
61c30fd1ef593c7d0acae99e8915b120

SHA1
467bc39ea32251ff106f2b16dcc3fe77b78d7fc5

SHA256
7440a3302b3e4b694cfd6a4be4519f5578a04d79e0c99ab5872e7d3071024715

SHA512
7ee483b009b46983d18a50013fca0a37d7fb8dc7039a3ca83a08eefa232f8cd9566fad9061be16fc88ab6da152aeac331248139de2395b68614d233da0d41402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
1e94f0b6914e65fe682a5d9c042e6340

SHA1
73b24c3849bacb2ac20c3f179eec6462d0753538

SHA256
29c2efe10ce8fd9f3114617b31512d03c19295948616e72d5b0cd168e1fb19fb

SHA512
64dda301392f8fbbeee4aed31618c12b21c6225ace67397f521841bd132c60d4588c3ff0222c340877307f31b90227b04bb8790e3a0e7ce70fdaa6f87e3da2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
1c96f55a678c71d3c10d8236d239b125

SHA1
14fb4f302fc3676f38e0bb12a4e7d0a1d7ff5e91

SHA256
c0330bbdef509f5ad506ca3b84a20204dddd7e3f35868d84ba06f44c3c756bcd

SHA512
b1f48083257e2005256a5e7629e8cbc02497a9fee1384c69442259fc31c31e251a92a20375b142c53ccc5bac036e0bb3e0c008abd0c91de05bdc72c7d8450a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3f14fe44ac9b4dfeaf853ccc0cd75909

SHA1
aec9dd6b7ca7bd1bbca6a26a0c13b33fb2f06570

SHA256
71fd273330add9085ad248cbd65e93402efd39b0aec977566e40ffd7502bd622

SHA512
0c079f5fd57a469f00ca72e020737147b50c1ab9519cc33160413a9003fde3f22594deb4c93e55d41ddbd32065fb87adf2a4a09f12f3cca854be6e72559de40a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bdbb2574d8dbbbd4d796c5c7d5bae848

SHA1
d72e098bdd90805f582669362c618e9929cde970

SHA256
3d75639e29460881aadb70addf0837adb9c9eedb57d8f3808de111dafb156e43

SHA512
3604d5d60616c2de83962c1e1c8a612e8725410b9ffcfcbecb556740f2a1911e547286509081409e521974b3993b00a240e6f87f303b2549a01e21fab54f5d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d76da7fc8719068383f35ee0b991ce4d

SHA1
fad7740b7913caf3c88684444c6ce0953d65d395

SHA256
d42f5632cfb59261d3ee7019765b6f643723d90b3cb694c1b70cd36279bd0574

SHA512
e0ed0be4c8ea2bca6e333897b0420f24ed5d0264182d17d83155bbf23d7ded33417d3a9dc0a4fe48bceca9f162c46a0b28f3d11e9a956e189949daf13f7f67ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b3c03440-d39f-472a-9eb8-0ac82b5de850.tmp

Filesize
6KB

MD5
b8ce37192ce673eefee26b219a3ade7d

SHA1
bc00e7ed0ae63a7c208d27dd468e741adb3a83f5

SHA256
4837e1cfa91aba705fa542c78d84a17341825353451cb0c9692cc7a829164581

SHA512
da49ecef89c18e21afe65324af9838e93a4c17f1a5fabe4fb6856f9fdc67571c2a4a600c5df7c94495f8cbb31c9b9060779420cf1d2447731a2166147e369810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
b5e0c03cd47a0f6121e5734b6637a955

SHA1
f30818da4d814e6e54700e352d69941960255ace

SHA256
2752dde9613912a0a1b283f4969d4c7a3a8d48da8b236eb87b6e1583c9cf5080

SHA512
50af929a154496b2318d3de22db69102c255d7d7893c85490947077c01d1c6757c810ebd62208777ec659647ba23afad3e107c9bfbda14d2f4708c2931cfea53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
e094000f487c27fdda981fadc59b7294

SHA1
01af9c90ef3b4dba4c40f8300754cc3f34ede3a4

SHA256
541bc2ca0e72315566485740a0501e60a5017d3124376d27441992860fc2687a

SHA512
554291c00bb6722b7a1d960847c20e46f8c19a65ae6ae60bff7513c8c5793d738327b198d29b166d0f442f785f32306eb5c02cf8dff2aa61f424f51c125ff270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
679b0dee3b0dd780491367846933dbf4

SHA1
f5cf5077440dd1a6bb97e65147abc1144026753e

SHA256
8c2172e99f2ee789faba2060f08a40a12b40670b715db097b29350612427e0c1

SHA512
5936352d11086d420b4152b11669429dedf9562dd08679c326c72b14b31277331975fba01384a5f8bc3dceed328b267c298d1f9b9dc24b878284777439581420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
3fcfe3873d7cf820d096ef1f50a6e23c

SHA1
09e67ce097f34f92a503ceb1d5024a46e1d25e68

SHA256
ec7d6f2febd25403e1a455079cd209a3c086defdea731865a98eca1e21984453

SHA512
6c408d6fb6667a6a8e2591ec03c83efc39a4414c3d431618840d3b5773dadea6976645cd6fc15cdee27bd516dde2eae05145a344aabda7d10107fd825a22f886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe575d62.TMP

Filesize
98KB

MD5
3a1b95ac7cd62ada2610bd800c39cc58

SHA1
be7fe2f00dfa39960e6b9289f77a7851a4033768

SHA256
126790a49a8e2eef5257cc0217ab57fcc049778188e16204ba7934241f049fb1

SHA512
55ea2fa05b2ea7347bd4f639b4b50b34b2eb0d6f0d38c68dfa75aca3275ef76b54f84f2428be8e0bffeff1f810d78a4ff4cae349c5b3dbe85c9d6ca2260faaa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839.zip

Filesize
3.5MB

MD5
8d0ecebe0e8fa969f3a6ef5927fec838

SHA1
80237964be36933f1a4d6e1bda66c40ac70c93bd

SHA256
69a051eac64581fc15c93df7ca8851a1e9233b5a166062c9279206fc8ee9b4d7

SHA512
21e52a57b91b2fd3192ed1a560c9f798285ca8ad5d9a3a852241aff0d98f281a2db02751eea6cf56dc72fff7fd147540815c94348c2d1469fb2c39ce8894093a

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839.zip

Filesize
3.5MB

MD5
8d0ecebe0e8fa969f3a6ef5927fec838

SHA1
80237964be36933f1a4d6e1bda66c40ac70c93bd

SHA256
69a051eac64581fc15c93df7ca8851a1e9233b5a166062c9279206fc8ee9b4d7

SHA512
21e52a57b91b2fd3192ed1a560c9f798285ca8ad5d9a3a852241aff0d98f281a2db02751eea6cf56dc72fff7fd147540815c94348c2d1469fb2c39ce8894093a

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839.7z

Filesize
3.5MB

MD5
8cd3171731732dc900132cfe52b33dd8

SHA1
d7b069c83988e60d6be8657401041ee02adb96d8

SHA256
b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839

SHA512
5c45b61694ac5636fe121decbd5bf5cc0ed0d34ebac5ff381c4f9460799a799bdd18ec3e3a62a8e249d616d8ba046f1ba74a441e528f21de18f3cdfaf0c09a34

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe

Filesize
3.6MB

MD5
d724d8cc6420f06e8a48752f0da11c66

SHA1
3b669778698972c402f7c149fc844d0ddb3a00e8

SHA256
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

SHA512
d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe

Filesize
3.6MB

MD5
d724d8cc6420f06e8a48752f0da11c66

SHA1
3b669778698972c402f7c149fc844d0ddb3a00e8

SHA256
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

SHA512
d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvc.exe

Filesize
3.6MB

MD5
d724d8cc6420f06e8a48752f0da11c66

SHA1
3b669778698972c402f7c149fc844d0ddb3a00e8

SHA256
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

SHA512
d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvr.exe

Filesize
2.2MB

MD5
142db3228dd9177f5fdaec26d0f0e19a

SHA1
f4f080d897a4fe16aa557a3499a7d495db62148b

SHA256
458d19c4e0d41353ade3b5eb94815436ac911ad13c2fa525f753d5ef182f417f

SHA512
07a24755cc8e53669065d3dcfaee9ff6670670242b4e7f5ddd82f75501923372a394063f3b6a9fcd27cf67eb84a152e3b7b7c7d0327d22e2591fb47dec9053cf

Download Submit
C:\Users\Admin\Downloads\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\b024d90cd12719f7fe82e8a0b4310f56e6769c2640acefc564e222deabf6a839\新建文件夹\mssecsvr.exe

Filesize
2.2MB

MD5
142db3228dd9177f5fdaec26d0f0e19a

SHA1
f4f080d897a4fe16aa557a3499a7d495db62148b

SHA256
458d19c4e0d41353ade3b5eb94815436ac911ad13c2fa525f753d5ef182f417f

SHA512
07a24755cc8e53669065d3dcfaee9ff6670670242b4e7f5ddd82f75501923372a394063f3b6a9fcd27cf67eb84a152e3b7b7c7d0327d22e2591fb47dec9053cf

Download Submit
C:\WINDOWS\tasksche.exe

Filesize
2.0MB

MD5
beb8a27fc024962e045c32aa58d07d0e

SHA1
796d3613673f323135865c42272abef347add163

SHA256
ea2ad4d3bb98673b88e18eea1bf06c371c206b64246a9193b2a64ba4fe4f4900

SHA512
e84c03f6f4399b28e0d258b743831f36c621325d9b199cbbdd6982ed51280facfc5a953a2393788bbc54efb653f95c9f75ea29c93c147c9227aff3395f788179

Download Submit
C:\WINDOWS\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
beb8a27fc024962e045c32aa58d07d0e

SHA1
796d3613673f323135865c42272abef347add163

SHA256
ea2ad4d3bb98673b88e18eea1bf06c371c206b64246a9193b2a64ba4fe4f4900

SHA512
e84c03f6f4399b28e0d258b743831f36c621325d9b199cbbdd6982ed51280facfc5a953a2393788bbc54efb653f95c9f75ea29c93c147c9227aff3395f788179

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/2308-364-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download