wannacry | 32e8d2652212baf105519ae7cac8bc087931fc67bcdcf940b75bd2bcac037627

Resubmissions

27-01-2025 04:05

250127-enyx1szmdx 10

27-01-2025 03:50

250127-ed4qhsyrav 10

Analysis

max time kernel
135s
max time network
617s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Size

3.6MB
MD5

a1a3bd4ee2c15ba4544965f5c5cebd18
SHA1

6a0ea0b1c9beb2db9905d5ffbc84130005d2cf4f
SHA256

32e8d2652212baf105519ae7cac8bc087931fc67bcdcf940b75bd2bcac037627
SHA512

b3364fa32f471efdf3c77f66fa1c9c3161c1fffd82488b62c2a7bd44d0f97651ef419ff7aab80bd69b0ab1b045a90fec48c7fc7dbeab20a3a404ca62204b113d
SSDEEP

98304:yQPoBhz1aRxcSUZk36SAEdhvxWa9P593R8yAVp2HI:yQPe1Cxc7k3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (9958) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\W9NJ9282.txt	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\W9NJ9282.txt	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3656CEG7.txt	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3656CEG7.txt	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecisionTime = e0755ccb7070db01	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecisionReason = "1"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecision = "0"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecisionReason = "1"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadNetworkName = "Network 3"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\0e-1a-be-f7-b3-20	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecision = "0"	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecisionTime = e0755ccb7070db01	2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1992	2148	chrome.exe	33
PID 2148 wrote to memory of 1992	2148	chrome.exe	33
PID 2148 wrote to memory of 1992	2148	chrome.exe	33
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 2088	2148	chrome.exe	35
PID 2148 wrote to memory of 1584	2148	chrome.exe	36
PID 2148 wrote to memory of 1584	2148	chrome.exe	36
PID 2148 wrote to memory of 1584	2148	chrome.exe	36
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37
PID 2148 wrote to memory of 2764	2148	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2160

C:\Users\Admin\AppData\Local\Temp\2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-27_a1a3bd4ee2c15ba4544965f5c5cebd18_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7ad9758,0x7fef7ad9768,0x7fef7ad9778
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1572 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:2
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1320 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3640 --field-trial-handle=1240,i,298274996835032484,3185451730510470679,131072 /prefetch:1
  2⤵
  PID:1856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:860

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cf8920bd7e46434974ccac9b099ef46f

SHA1
40c9fc9369b1f26972518cdfc472e3544a1f694c

SHA256
faaa99ae8b5d0ce44e6e91e3b0c8194deb6994342514ecdd63ed921f3a082898

SHA512
59fc09b506a42713779583f775e579e0b544db192cc9d7a409666a10e9dd95179b99038ac9791e6cdde00b9745cd68752829b1c7e546262dbfec0cae12b146a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
56fa681abee8cc8167bbed307ddc2cc2

SHA1
e046a4c908e9378f80be30e30571a03d210851a2

SHA256
6d7c9e270c30b4dc86f1420a4af3923706ce4d18aee4e2374e5473a45b9b0001

SHA512
7021440afd23acb9dc654cf22043c61e4bfa6db618d0f83c2cf205dc241c5f4613b699f27cdd266842c6f5a54ba2e00a1e817e2b1f6af6383f719b92647c9e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
cdc94856d3856a54582e92ac75970f70

SHA1
db561a788189a33d260422ca5a5878db819e83e6

SHA256
9e9e31727b55d3860a9b74b94d46c7405a3bf86cb41871350e35f70ed3c1d2ec

SHA512
00dbe7e5b2048f113c3a57672127400aceeb052c6f2d1785307d047d4f6b9b3a53483d5b8ed47afd5af7fd8c3ef259d95580270e8dc1a55910ff04dc5fa8057e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7d57bd3851451010bad40c0ba6953fb3

SHA1
52dc74598f411698d69bd572953a6ecc9e2cd0c3

SHA256
12d026b8bad77cd6035255db2f83416a84913028a84633d376da274664df55da

SHA512
f0f7badf3338e445770cca5dba4fc713d2742417a61da6ba0dba32e7f57e99b32f2212eaa7dd80176814c527ddfda9f3e2abbff06da8be0bd41e869fe776422d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a0f2f32f821b87da90ed65269cf0035d

SHA1
b7dabcf62e5b2211adf406e48d712bf8c019f144

SHA256
f917f24d86dbef5ea8495a3854abcb85a95812255b444d65036eedc09c4ddd8d

SHA512
29211444f5da4618925c332494c76cfeb3335c6373da77470f16c77553ad5b956c18f745ef068f242b3d40950d426dd37f5f18d3628a7e6aab2611a11d914b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit