wannacry | 55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3

Analysis

max time kernel
45s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Win32.Wannacry[2].dll
Size

5.0MB
MD5

30fe2f9a048d7a734c8d9233f64810ba
SHA1

2027a053de21bd5c783c3f823ed1d36966780ed4
SHA256

55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3
SHA512

b657b02506f768db3255293b0c86452b4dfdd30804629c323aaa9510a3b637b0906e5963179ef7d4aaedc14646f2be2b4292e6584a6c55c6ddb596cff7f20e2a
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3242) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1292	mssecsvc.exe
3020	mssecsvc.exe
3044	tasksche.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f018e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f8-5f-47-7b-dd\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}\d6-f8-5f-47-7b-dd	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f8-5f-47-7b-dd\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f8-5f-47-7b-dd\WpadDecisionTime = c01730e95243db01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}\WpadDecisionTime = c01730e95243db01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f8-5f-47-7b-dd	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}\WpadDecision = "0"	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1864 wrote to memory of 1976	1864	rundll32.exe	30
PID 1976 wrote to memory of 1292	1976	rundll32.exe	31
PID 1976 wrote to memory of 1292	1976	rundll32.exe	31
PID 1976 wrote to memory of 1292	1976	rundll32.exe	31
PID 1976 wrote to memory of 1292	1976	rundll32.exe	31
PID 2136 wrote to memory of 2956	2136	chrome.exe	36
PID 2136 wrote to memory of 2956	2136	chrome.exe	36
PID 2136 wrote to memory of 2956	2136	chrome.exe	36
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 840	2136	chrome.exe	38
PID 2136 wrote to memory of 844	2136	chrome.exe	39
PID 2136 wrote to memory of 844	2136	chrome.exe	39
PID 2136 wrote to memory of 844	2136	chrome.exe	39
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40
PID 2136 wrote to memory of 1652	2136	chrome.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry[2].dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry[2].dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1292
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3044

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef58b9758,0x7fef58b9768,0x7fef58b9778
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:2
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:8
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2136 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2144 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2612 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:2
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3356 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3776 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=908 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:1
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3456 --field-trial-handle=1228,i,12656414479071105842,9345970002304969389,131072 /prefetch:1
  2⤵
  PID:2832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3545a9e694a7a24c_0

Filesize
289B

MD5
0138e25a20377363cc49d348f5a8ffe0

SHA1
4fdb74758c7f455bc4b81cc91c2f8966dc9140f5

SHA256
def5ca31de814cca8411f1788c6ae2fd96a2b98b98b39e826ff88a8a86769cd3

SHA512
03f0ee1604d66f798be64603c71395b56cdb91d9bbf95e5bd8db554c11c0840ca10376db80e8888c033984eb38ea52d9c71b3531807744968ee372f7f4f1bfd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3d7673d115242a59_0

Filesize
19KB

MD5
82d93d2486f82f8bd83a690e3319be88

SHA1
8f82b45cf0ef810ba750b0aa6283a22a72d6ba59

SHA256
2816c7c100c9d808cb590ff40ccef10829307fd0eac248e54c16ffffec44b4af

SHA512
c9a073d0ef31c39b4d615d01d245c121afaa3c2c0cd595a99fb956df720ecb9f01cae1245b4ed6643854aca2d51467710f05e8449bb32d8c62d1021573e03d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c07c7b959619fcba_0

Filesize
355KB

MD5
e72483ebea635424a3ddc5f08e12e132

SHA1
440e26534fe5cff4c7cf1033f2911e09cf13ffde

SHA256
ba9f74c51e1f6586b34a834585604c812bfc4653cf200661b2f6f6088622fc08

SHA512
ae02d131cee45d5be475e17e8a1e7bdb805814bb2b70848779cfd43962ecd85f0e68c388c3d5c52b41b141528f349db42dad66c7d13ecb02e646f59edb4a6dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\eef153ee5b884e2e_0

Filesize
280B

MD5
f46d9ddc4801b0e78b87d1ccaf2ccc5f

SHA1
efaa8494d6b311f80f7ea62672d93383d60f5d6b

SHA256
966ef3d46d2cdb6018842bbc6835cbe9cb1f333fabb1d54eaf3af9fab24afb13

SHA512
cc5740e8529b1b477a236a506d10b924399dda387dc6f45023f26907920e0b51710046bd3c7922946d0aae429885f48a64f0c9e5bb80fe4303efd327cd048513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a5d699838bd0dd443dac801287dd014a

SHA1
d61695e70797e8a60f5c7e4426224d8d8731affa

SHA256
33608728810e03e3cce44de4ef63654252c19ae742273538b4703e1826b2b908

SHA512
119f363eb454cc8df435d018f892ea446960fdfb570e287f08a5f897b7a2d652a78221d84787137e7c487306b8899130764c2c8a4e0858265c48f5f5ac770e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0f834ea99bea036c5e06153c88aa280e

SHA1
1b336583bb1a060dfbf6b85567e4995ac801aa27

SHA256
458b6407bf7a0dc65e9f763f17ada6651aff7b6860af0251564df70758b6ffe9

SHA512
8e6bee97714fddf9550a10128ea6191b45e6894774b95ead4b1c339a95ae2e2f6c99f47af4552ee005d5e767ae3f531e1559ae4b439d86eacbe4d1785f5d0702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
1c6ce3b9fc15be5f4b1e7638cf84e43c

SHA1
13053777a39fcd1b527a1e3e3941ea9e871aac99

SHA256
abcb7be789c9f64dca6ae7211f697c3fec3b087248099002becc8f918bbff6f1

SHA512
64d2ab0daac291fae68c46d2bc43815b20f7579173c1423e1c6eb5974d7510bb7617ff1c3f53b513b12cbbf5df7fe9fee076a1fdd1e27a60debe73bab4417dca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
4da0f091fffef7b4eaaf781baaf3e599

SHA1
1cbefee6dfafc93b83ee6c4a48d3bb7d728374a2

SHA256
80fd01903716d180d87df54f6527bf182d757d3fc497b8f6e0cf30d38d464aec

SHA512
509e88e2ea72b6c008fc2be91a394e82e750976d08f403072cecb188557e9fe09c0859e43856c896a603f404233de772663b368a09bb6ea34b33aeeae8b40419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
96cfbd42c48e4a972b6c8622a5edcca9

SHA1
6f03c10ebf05a3ad81f4b14518a77e0b8b3bb825

SHA256
36c8fec7828496f1344b9e503cdbad82ff0ce9564e571c3b7e5b9343aa48fd82

SHA512
763bc2007ef4aed1b73e6e5a05409189573dcea4fd0e7378e4e9ade6501f54f4f5362bcb3957fc2e894d8268d531c13344b97742a05fdbd628137e2c2c25701c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7c00ff2c13b3b50f5f91ebfda00aa87f

SHA1
623f0902fcc1b315d9b05ac477c160a45e0b5edc

SHA256
57f294d084724053e7c9218ea2b354b022c36cf73efd952f1f78144258af4b77

SHA512
34a50e25180dd89efdf21aad2a5d5d9232463510fde724eb6f720270de71d8e98a059d6e9cc2ad131f10bc3abafdb25322878238650e02eacb101c4e18373a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8d56969045a45cf381782b34d89dbc3f

SHA1
9af7290b45cf769ec33fbae0f07a91fda1e97e2e

SHA256
a810313a9a7e782d955b24cd81e6ed4585e66728a3a4ef53108cb102313f5d32

SHA512
19004b546e314b46d4cc340b30aa05ecab7c27195a4f4274234e99e8febe1ba6d280cb61505551aab826ddf3fee5e8edde7c35d5dc8780fee9ec8d39fe059106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8a055c816eaf1f55b16c127864e267f2

SHA1
ab73428a17f260fbe224bad2ec0128e61fb53800

SHA256
900642b736d10a8c041e1cba6acee6781dccb73fcfffbb3ff8829dc5725e79f5

SHA512
d7a8c2913685b6890c8fbeaea82811f85609bc3d6a86e01f947bc2b6cacef8ffb24cce137d2395ee3731d9b6b2913a9f8f9d10aece6d6ee192182ce3ac7b96db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b9dfba8b5b888d3410d387552a732831

SHA1
7ffaf1a75a4055b9b07d4b6ed51b86ebdbc6c546

SHA256
3b663ca11639ed615c71bb09736765397b6e9d08506ca561a74a0404af38fc62

SHA512
d7efbb51cceda27adc2027126bcefcf86e6d154c6b617e38665c6df5308a37b7509223e30bbbd1dff48dad33bb0a98cb6906978b972e3667d117c09b3a7a2068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
90a1e06d78737b9a87e8ea42f76e2544

SHA1
785ddf8bd3add2da415cbc7c39aab7eb21407d20

SHA256
e1bee0f7a7cd0ac8659033d9e67bfc83ae03843ed30dff8ca590f916604a6de7

SHA512
40ee623eb975b3890d3e8260e76963d078a7734c040d4151fa0cf11fd6e2421f5ea609f67922a51c6df7a09f077087361586d5f40208bc97ee70531e2a3df5be

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0df2ae526d7350c2e3d1383c07a6be04

SHA1
06c4d41c60736ea1e0bb1b095536499e05068442

SHA256
10111f53da4181d548ea77cc91f02a15b9ede3f111f074230761f2afee7cd637

SHA512
9ca1ca36dcefdb1eba3152bc2d14c9dceb3360960338d13db5f8a02327aef80cb0ab238c2c1f3d2dbd7fd75124d4199b5cd63f173a09a0dea212ebb265f8453d

Download Submit