wannacry | 273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2

Resubmissions

27/10/2024, 19:47

241027-yh2w9synhn 10

14/10/2024, 05:07

241014-fr6ygatfrk 10

Analysis

max time kernel
27s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Size

3.6MB
MD5

48bac2dba6ccf491a0b5edae84d29d20
SHA1

3823d56b5097f9e748b1db2741dfb4bbc94b8ed3
SHA256

273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2
SHA512

a66fb72f996f58df0f282786937424ab44120987a2f86b5c43012da9b41d8c9b9dd6549b8b5ab7919a3f81f1ddc9803f8da5ad89dc37606fe889f25497a85dc5
SSDEEP

49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAWv:yDqPoBhz1aRxcSUDk36SA/

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3073) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2528	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6915C7B6-763A-4A1A-87E4-F861B9CB9333}\WpadDecision = "0"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6915C7B6-763A-4A1A-87E4-F861B9CB9333}\f6-3f-4a-c8-89-21	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6915C7B6-763A-4A1A-87E4-F861B9CB9333}	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6915C7B6-763A-4A1A-87E4-F861B9CB9333}\WpadDecisionReason = "1"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-3f-4a-c8-89-21\WpadDecisionReason = "1"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-3f-4a-c8-89-21	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-3f-4a-c8-89-21\WpadDecision = "0"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6915C7B6-763A-4A1A-87E4-F861B9CB9333}\WpadDecisionTime = c02a662da928db01	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6915C7B6-763A-4A1A-87E4-F861B9CB9333}\WpadNetworkName = "Network 3"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-3f-4a-c8-89-21\WpadDecisionTime = c02a662da928db01	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2880	1948	chrome.exe	34
PID 1948 wrote to memory of 2880	1948	chrome.exe	34
PID 1948 wrote to memory of 2880	1948	chrome.exe	34
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 2088	1948	chrome.exe	36
PID 1948 wrote to memory of 616	1948	chrome.exe	37
PID 1948 wrote to memory of 616	1948	chrome.exe	37
PID 1948 wrote to memory of 616	1948	chrome.exe	37
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38
PID 1948 wrote to memory of 1124	1948	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
"C:\Users\Admin\AppData\Local\Temp\273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1832
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2528

C:\Users\Admin\AppData\Local\Temp\273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe
C:\Users\Admin\AppData\Local\Temp\273380e761312bb519d1a0774cdf7f1334e417fe23f90514c27e31f8104716d2N.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6849758,0x7fef6849768,0x7fef6849778
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3180 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3436 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1560 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4444 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2548 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=536 --field-trial-handle=1228,i,8002034272882257032,17142393845234891087,131072 /prefetch:1
  2⤵
  PID:2684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf774cf8.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
385a4a26913c2253feadaddc41af6bd0

SHA1
778e117c2e714e3475acab75b5eb8d51da564d27

SHA256
e46b91a5ebe32ff9bca71c98ebd620b7fa987eca2129ad89067482e67ceaa31e

SHA512
c82fb649e71c3cb645bf2516fac38edd07b9284c094a34f164608f4089fbdf34d7a774bdf7b42efe383db3ede3f09d76ef5c5a2249b2edca3401e3e0caf2f1cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3739db0a92517b86a4ff239e7bc06d29

SHA1
6fa01553375d12860f56a45e49f91f39e3c31a1b

SHA256
0b6a721747d8c508d67b8ff601978da9ec25e7ae243f17e6f56b8d50a6927efb

SHA512
a361f6c68d4a5dabe58c4621826323fdc0faafc06b1418a2a00745f55e51b8c394a06fd7df631ac998c97eef35abe9395f3982788b7824812f7851e5117f8679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
844B

MD5
819326a45f801a0bb9138eebedc061a2

SHA1
a143ee54af20ba5b017a9cf73a4605dee9c2f309

SHA256
af7a5ece8e66c057b816f7c465aa9f7d1b60d872e92c3f577a22a1c5c3906ee8

SHA512
7ab4c6baea9a4a7d542f39a90ec859c4e3946c217b769d43a3a748558dc063546c11034623438a1c38bc192d15004bbdb1866a24eb3d7c659cb31c520489e717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
0a7d76e51ac674e01b711b1eed487c86

SHA1
f08720e9ad50ed3b972a38b85c6f0131d771f839

SHA256
2716cd5e85ddd7b9efc205b0855e17bccd6a7f205ef0c7d534696b20ffd5ec04

SHA512
868d44136fb68afbbba91b0a246fd7c25dfa491a46981ba0e5167bb127ccf41eebf7575a823329cb639c311f706a0d5c52de12cd1bd4d6a6dcbdf7fd53f654f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
844B

MD5
2e0380be7e632cfd74904e86c38422bf

SHA1
c0433442d4c0b69e67ff052b966aa45435decb85

SHA256
af88e2f239b1944e11751fede423ab37ed78f5c9069526b2b03cb9347cddc6ac

SHA512
203f4f14a935c09570d7ec822622143b91a9fb1ed968540830e943786994788e4fb36efa21a1f2fa490ae43a43f582e21508a6488edaea73041af5eab46e630d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
683B

MD5
b484f75964707cbbb6a1ab60c2851080

SHA1
bf8658864b5f4817654c5d362e493fdc3b073670

SHA256
6191d33efeedec654f7f89f5086e3f6f83f2d787090c050125b94cc6fccdbc1c

SHA512
000f411c706991ca5872a3bfaa93bdd6c0010c793027e8f0ae0dc70493fd568361f1c83af7372cbb79e69ed544432661abf997fa8a72976c58e7d2889d68391e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
04f4f921165771fda139595eb27ca419

SHA1
947aa9268efe08da322efb695e4bf456496b8c52

SHA256
6786adf0a35a9b76d15e83b3b7922c3608bb78065f7e9f2e5ae907aea2bcce50

SHA512
8ff399a5c5ec3b576b3adae0efdecf2b2052bb621e486712fdff11abf9a8c5abbf9016e584d9850033987697836fa5c76524a788c043debf6bbde12e26a51a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5bac097423cfa682a07a3621b70f2253

SHA1
6566d0dd9f77ee18b03c318d0baa03a3716de733

SHA256
681d3d491444d17d090619947bf4fac59e9e777aa0e736715e95f8fb51b55610

SHA512
3c89c8da46f66cad8fd47c88191ae0339d3bcf37993aa3c9529b28f52a20391ad381c0844b24a882b214d50b991c4658870808a680edf054837f54077241dd9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
61e57a8e848754367413c7c78770db84

SHA1
629c99951168b5818e92db2321741e74100d33b5

SHA256
8eb465278c10fb544ffb2e42063c01e2b9275c2de4a2b3d4f47d6f013642b4fd

SHA512
2be6e9a1e0211646cef47afe0451968f6b09c06ce921fea47ed6033f8eedd1d8855404ecd66ef074c303f2b61e0455e4cb117aa7603fbe7b71414b49f2642931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\48ab7439-0fcb-4eac-ab6c-a3d4f9624167\index-dir\the-real-index

Filesize
2KB

MD5
f9ef60a627becc3e180fc1c1f23571bd

SHA1
a0b49b3f328717c6be7a13dada2677d54ff1de7e

SHA256
cffdc387133a5a8a74a0a23dcecaaca4e9f1a0668005211f38ea0a338960579d

SHA512
1569524aa7a8e3e789af1feff8790ab959b268f1f7430427b55e9c2c2bdef7dded33009bfbb03e622eb3c18e2ff73bd418ae88760ae7cc727de7f6511b386df5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
e7cce42e3304fe34179a056573ca08a8

SHA1
536d26cdf8e391110349cb32debcdf80fe2f666f

SHA256
e0b2228a9c80d16ab76949c9205167167b44e69f735f2212c6dedd5fb9f00899

SHA512
cafd710e87385dfe6ea429fed7ae97b6c73f5221eeec9b559242f7ca3507ec6b51029764049205becca1e11b141abbe558f2f4dfef9113626a00c21fd521e289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
f8822a0815c078df1ec5602bc4963b38

SHA1
a0997cb1c267c372b3dd8fa3a9a9e453926c55c3

SHA256
607889ebdc677f61bdd0086343a2a282bddda3a683540e418e35729a52cc9836

SHA512
99904954193643eeff8587fbb0bbc68856d9304e0f7b23522e6fa0dab7f59a2f093cdcd67efc81ddf0e89286d81cb932b8ad4fd42cfb7a497e98469ec7555579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
3266b639e28a14e48d8fcd91d255c6c8

SHA1
7abb283a1804fa13004900f012fd1f10bbeb6ca8

SHA256
4391bdf02e8da827837714bcbe43e111d7c58f78b56996215f7af589e23420a6

SHA512
692e9ef963c24c0ee750e0bf4db4a0089220094af45af6da1e64fc4dd97e07eba7a9cdb49d87dfd002ba0830807eaf0b00efac7c5480dfec7f6522358c98d5c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
90a4b930678a24b927a5e9b6f71ce8df

SHA1
486ab02d5c14264e1644d30885c892e530747e6e

SHA256
ae9279bb4cf4bfdacf63d17f3031e5292e41131c7b2c909d3a10f4a7249580d2

SHA512
d4b1d0b137134afef15fa65f486f8219f6e60e22eebcfb1038897f7fdfc4e373a57d0359dd1393cbb986a48b89a42dacbd390adfd37617914a80c378d3798ff3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
c797b112f8515cf959877216fe253696

SHA1
760ae44bdb27e508076cd6918001c883348d362d

SHA256
1dd21be7469718e50e735d169b2207f2d99aefe0429d1bd19367af45c13e88a3

SHA512
c06ed43e9fc02933485f5bba3ff7a21089cf281b089ae49ab65d26c6cfa3086db908a914ff401c6951b69ba9fc944cd13029ee8fc0e928c20cc65edd98b98b6b

Download Submit