Resubmissions
21/10/2024, 09:32
241021-lhmfcszglm 721/10/2024, 08:45
241021-knx9daxcje 721/10/2024, 08:41
241021-kly3wsxbmf 815/10/2024, 19:54
241015-ymst6ayajl 7Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 19:54
Static task
static1
General
-
Target
Rensenware.exe
-
Size
96KB
-
MD5
60335edf459643a87168da8ed74c2b60
-
SHA1
61f3e01174a6557f9c0bfc89ae682d37a7e91e2e
-
SHA256
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
-
SHA512
b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb
-
SSDEEP
3072:kGXc7vE4k8sWJnmiWpJtCkGwJ1ED7qztG:RXD8sWBmiW0wX6Gx
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000e507f032b478219751575dc09871724a746ed716e1153e392168a674f6cee5c8000000000e80000000020000200000000132b839b608906de2596570df8a213bb8402284c22c8372eddca1d35cacd8949000000038a514c779bf2ce341c058aa9fbd7c28c9340fe853b0cf6cfec1ee996051e25f264d7a7f828e5f21efa9175949fef9b572aaa47ecb1630647980fb2c0ead806525a5a74b7db54e8917cf502f077190f7a7d51503f6cfbf7efbf1126cc632c8d53aa7af25ca671e9058cc80bf78b0c1d941323173ff27ee206e48ea0913937e95c64e570058350fff57c5082186abd18240000000ebb694afc7dfcf305b50b7ce2fe67a7202138c2564efaebca0d406c64e205f9665d30b50f8277804c17b904de6b74b56b7e87947fc976d5bef8b91be4470820c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C202341-8B2F-11EF-8250-E62D5E492327} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000ee072a3e73ecd42eb3db200b0f9798fd14a86c94fd1ca7b0e336a113c368190b000000000e800000000200002000000010ceba6efc21b6f49a6d9c95776a2e4de1c990e5141c835b88c6c938198fe9fd20000000586e29e46583f62ccf67b302a7ebe548f16a44d03a465ca6e1308a65359632b740000000390184d88c539fff03a0508c7eb5f3c3a4556bde71d869745f69eb544c90b288e55f20a8883a6bf29764793e0268ed44b58cb8c52a4ca36e14399e91933980f7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109db6403c1fdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2496 chrome.exe 2496 chrome.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2496 chrome.exe Token: SeShutdownPrivilege 2496 chrome.exe Token: SeShutdownPrivilege 2496 chrome.exe Token: SeShutdownPrivilege 2496 chrome.exe Token: SeShutdownPrivilege 2496 chrome.exe Token: SeShutdownPrivilege 2496 chrome.exe Token: SeDebugPrivilege 2920 firefox.exe Token: SeDebugPrivilege 2920 firefox.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2920 firefox.exe 2920 firefox.exe 2920 firefox.exe 2920 firefox.exe 892 iexplore.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2496 chrome.exe 2920 firefox.exe 2920 firefox.exe 2920 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 892 iexplore.exe 892 iexplore.exe 1852 IEXPLORE.EXE 1852 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 352 2348 Rensenware.exe 30 PID 2348 wrote to memory of 352 2348 Rensenware.exe 30 PID 2348 wrote to memory of 352 2348 Rensenware.exe 30 PID 2496 wrote to memory of 2888 2496 chrome.exe 35 PID 2496 wrote to memory of 2888 2496 chrome.exe 35 PID 2496 wrote to memory of 2888 2496 chrome.exe 35 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 2784 2496 chrome.exe 37 PID 2496 wrote to memory of 1628 2496 chrome.exe 38 PID 2496 wrote to memory of 1628 2496 chrome.exe 38 PID 2496 wrote to memory of 1628 2496 chrome.exe 38 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 PID 2496 wrote to memory of 1808 2496 chrome.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rensenware.exe"C:\Users\Admin\AppData\Local\Temp\Rensenware.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 4162⤵PID:352
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ExportRegister.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2840
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b97782⤵PID:2888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:22⤵PID:2784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:82⤵PID:1628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:82⤵PID:1808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:12⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:12⤵PID:2996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1492 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:22⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2904 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:12⤵PID:2428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:82⤵PID:2072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1256,i,9430719992213072231,1212310840080485934,131072 /prefetch:82⤵PID:532
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2364
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:1192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2920 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.0.510283587\1237442315" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {622ed73c-f5b7-4385-8fa2-3e9e3d65b9b3} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1292 125f5b58 gpu3⤵PID:1860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.1.581387175\202849938" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03cbe176-1a51-4e0d-9193-15c08f3797a2} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1484 e6fe58 socket3⤵
- Checks processor information in registry
PID:3052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.2.1001236367\1382439874" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98605513-be65-4e0b-be03-aa0eb839d817} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2068 1a57e358 tab3⤵PID:1612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.3.738298015\1282876837" -childID 2 -isForBrowser -prefsHandle 2844 -prefMapHandle 2840 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a3a6007-89db-42d6-b60d-db7b4b335acd} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2856 1c571e58 tab3⤵PID:1616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.4.83986225\1511631436" -childID 3 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d454f2f-0918-44af-84a2-98053dfd3727} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2992 1c572d58 tab3⤵PID:1580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.5.1562752627\1360629244" -childID 4 -isForBrowser -prefsHandle 3724 -prefMapHandle 3776 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d64c9567-5f0c-4a26-a73d-d184c694c07b} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 3784 e67e58 tab3⤵PID:2908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.6.1808011261\886275644" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0545a741-6580-464a-a652-4924e51c5c5a} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 3884 1f1feb58 tab3⤵PID:2952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.7.1706755894\108593315" -childID 6 -isForBrowser -prefsHandle 4088 -prefMapHandle 4092 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42133ff-453b-4fbe-9306-3b83a6f25927} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4076 1f1fb558 tab3⤵PID:884
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RequestComplete.mht1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:892 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1852
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD550a117376d60edff1ec4ace57ccb6ac5
SHA106fe4c49fa4a7b704fde7ce8bc67b05ff8457dfc
SHA256a15988e09e044fe567bc1ab14aac77bc0c7c2c34824bf4145fb31187e0f2ad10
SHA51295cc3528ceb97870570f3e45a8a7e3e5fae5ec77ce6fbf5b40b3c8372bde033ae2c6df1a0d74af66ed390b4c406a33decb8570d5b4522d97db181a39fe5ed111
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e99fd98a9a9d35f9e820d5d8ea0a6917
SHA17b6de5c9f6d99103eadee58a379d4569c45bc7ad
SHA25646a2cad669ba1bb2a6321fbb023029631ba84e376a50b036bc803fc4472c0450
SHA512b4b48ca7c0f5e94e25d8005775443245636b686323654ea1c4a33f133ea7738fd794dc6fb3eda62a9027c12e576f7fea8709356fb788ccb3b4517a3bdff92954
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fac7f657f4a10ba2b80c4636b5d75f3
SHA1b54c881a6b052507cd5ab3344a9f454128579605
SHA2560f4b97322883770b5d14b372af9872e49e873e1fe97f06a3c7a47d3a899ee3fd
SHA51223a2ffa15f9cff6e8316cd3d5db5c4cc0c608296761757e366db24fb97c003d9c4cf0104cc1a3d9e96a59ac26ef4dfc35e052ee2d393be974341505c55c0ac81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551f5c1374f36008a5f042a567eaab73d
SHA1dee4563c6d12c50296a897d3e763c5ba1a4d4a49
SHA2569bd975a37818e161f8c48eb52540e9ddbabec727c82fb12dffa96de9567c0313
SHA512c57661b141774e4dee8dd79a671942c29e9bde786298bcd01af4dbeb88b55db34d80257dadeed6ee22d60f4c249e6b7e904e610aa4549deff174f775bf4f4276
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f9ade0d99cbc69e0b90b6aa34a46f99
SHA147062e22f4715308b999440b1188d7423c9ed9cf
SHA2567ffb0e8354426eeca7ae3df16d19c9e411539f9c26d6c5cbebc34aad4557f086
SHA5126322fba44e92898e28347e75426072106c48691101fa26ecd4f018dccca0f7beedff6e71c1c5d880dd637869596cb61cbe63ecffee3d1cdaa86797cf74fb0a68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c59d916b06d2126689cd6d84607ad715
SHA1989c158597c1ca44799060be5614957416458363
SHA256111f7d2bfea0cf3ba6577c29f2759a9b96ccd49358cebe0e53ea6edc75b92c0a
SHA512224fc321275298617dc37c5cc3429be090cfe9215d133e12516dcc06eed8c9678acd185e7c4b2228d5befe8bb38e88717ba6aca7f1d41431f2896e996b45e6b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c169649b1ae04b11de3974c182c4c91
SHA1cb72800963534bc0c8e1478424af34292c7777c9
SHA256918f87ab87b6a87cf16503a4b75e4a955d4a9055ef9d7ebde45b434743aaec4e
SHA512c0a6e5f3bfa4826d734e0719319b8aa16802bbfb2be0cb19f9f74a39d9f094fa14db1bafab768110504920fa002b7788b93d063a0f7cf0e8ac2c79092c0121cd
-
Filesize
341KB
MD57dfe6818db822ebfa299f53acafea717
SHA1c5c459689fef5d8f8fdc587f346c87ce6a803517
SHA25653202f535ffb7c673e40f443861a4ad5f5852b66a09da7ee33c3e556d1726cb8
SHA5128fa7851090bca2da9ff57a0b48ad24773dd51f9188e17c3a97e0155ded731e4e1ee4dc908914b9fad688804174b30bb3630e3dc0cf45c388d94cc0320ed5fee8
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5dec04a7f2774d92e21734e65bf7366db
SHA169e90f5c5a206f3959996890d3e86b3f3c9e98bb
SHA2560be172bac8829bceef014718865332cf8b2bf8e66e59d9eb1517b1be4f378000
SHA512324fa3ca39cdff2694d0cf2252e4dcc793d3e0c3ea1be7461bc1f7c9b844bdba8512b34dba037f50dec6329ec1dcd52308c8605c3237456b898126b54009b835
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5a07e87e8bc2f798fac2112be790486e8
SHA15e3b476654a17c6d73d8bac607384f751ba059e5
SHA25674701446ee9c87bcd49e66b8594a7cbb4b33fffc14899bf39d6884a099c8438a
SHA51209100c1ab79f7748402ef34deefd2b91ce13d474d96507296b8cddfb6eb580991adb9ea39c7ab5526f39a2b9c9a1034a59e601f9ac36ed453ec66c42d9750f02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\b774f617-eeff-4de4-87e0-5e2cfbf8a084
Filesize745B
MD5c7912cd1307e93b95e98a5beccc82e80
SHA18fa06af12b3b5ceca3b40dba55d7e1a2e527a4a3
SHA256001fff757383db86ab63c2391ba49d784b7c546c1d8095010ba8a0cf2ad079ed
SHA51266a6e910cc72eb8b770575d2f2e14fa6542ed52e6bb2d692afd629c4b5261d96291d91964108daf4dfdf174002f4a4d3e53377d13229fb961a66d2434ce275b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\ddac637f-2755-4757-8b3c-e51ff7a67016
Filesize11KB
MD5d36a07cd34f22c6d322b1e65cd3b74f3
SHA1d638460d119e2d6a3c8055f909053573eab6665b
SHA256e7f6316b90dd5d75dc55f901c6f01a7f9aa3c6e5e9c19f2e9e30fabc42af619d
SHA51202697e0f5ba2cc854c31b653c46d3930a956f71d1e8c2c5e4c02308e5c4a353d772d8245be8d0d1b5b02570dc0aa6ed473ef63c41525853f05694f0f3e5b61a4
-
Filesize
6KB
MD5ace46823e6e49c3b1148c167235074ce
SHA112e648760e96edb50e140ed8cf3c546dde74fccc
SHA256bcc2e901b3fd9160836ccdd90e014b3d88de8700740939e00bf294ac14b4bd3f
SHA512a53f3aef894c2953474b3c43b6d3c3e9b16152f25b83a33d4ceffc5cc6e8714b5a95b194ca147d1bc0b5dbdedb4f90655978bbeb075b085af4c0b679f36ae6e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionCheckpoints.json
Filesize259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore.jsonlz4
Filesize832B
MD5efdb2fd165aa1a3816e640dceef782df
SHA1b96baca51c586908a13bce977087224e59e94ab4
SHA25649de012e359db3762da510413cbe61e969eae6b10f9323135a0e4ae0f7e05e25
SHA512df0c70d2d528a828b666ccb7de65bdda7c3cad71649863ed1e0185a2a0e2400f0951ce2e16ee1638da8d65d4438aebf68e60c15136608b8d648783da590351d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD56a7e2803a02dbe0e8300bf3763327a5d
SHA1d7fe9269f9da086391a5d8dd6c9091a86a5afc3d
SHA2565de402247656ff3aa96503fe6f107e1f54efd2d7794dd79d308a18e0073ca746
SHA512f5f74e567b88925d92a72dfbe6a38bf1db46c3909dc5cfe0867e4f74733bd86e24173028b94b1b7415bb9af01ab7db6ac890c0183bb0323c8151d51a82ea7861
-
Filesize
363KB
MD5aa9ca635b02b898317f9d7665e78ee07
SHA18f97e73ad1bce276c4bc3a575827d18b710b18de
SHA256518efbcad8e00f29153f9081a6fc8cf3236a60673471a50ab421e7b3185b44e2
SHA512808cf4a2ab1361556e9fea3fcc1b0c798e28f00e05908a7dac2fab2e60c02e2d39d2862c05e100a445d62c6ea5063d3a22a9e0bf64558b8689b42387d8a11f54