3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

37KB
MD5

e08d7967557238a0ee488e405f7865dd
SHA1

b4428239dff65be117076a6d2169c1f5488e098e
SHA256

3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4
SHA512

f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81
SSDEEP

384:71/yi00nCVpd3vVmyhKrrvFcCRYc2/efurAF+rMRTyN/0L+EcoinblneHQM3epzR:xHANVdhKr7FcRB/eWrM+rMRa8NuGItN

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2332	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf0442d73ab4fa4b3573bef8feb3ee75.exe	RtkAudioService64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf0442d73ab4fa4b3573bef8feb3ee75.exe	RtkAudioService64.exe

Executes dropped EXE 1 IoCs

pid	Process
1420	RtkAudioService64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf0442d73ab4fa4b3573bef8feb3ee75 = "\"C:\\Users\\Admin\\RtkAudioService64.exe\" .."	RtkAudioService64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf0442d73ab4fa4b3573bef8feb3ee75 = "\"C:\\Users\\Admin\\RtkAudioService64.exe\" .."	RtkAudioService64.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	RtkAudioService64.exe
File opened for modification	C:\autorun.inf	RtkAudioService64.exe
File created	D:\autorun.inf	RtkAudioService64.exe
File created	F:\autorun.inf	RtkAudioService64.exe
File opened for modification	F:\autorun.inf	RtkAudioService64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkAudioService64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe
1420	RtkAudioService64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1420	RtkAudioService64.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: SeDebugPrivilege	5092	firefox.exe
Token: SeDebugPrivilege	5092	firefox.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe
Token: 33	1420	RtkAudioService64.exe
Token: SeIncBasePriorityPrivilege	1420	RtkAudioService64.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe
5092	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1420	4964	Bootstrapper.exe	94
PID 4964 wrote to memory of 1420	4964	Bootstrapper.exe	94
PID 4964 wrote to memory of 1420	4964	Bootstrapper.exe	94
PID 1420 wrote to memory of 2332	1420	RtkAudioService64.exe	101
PID 1420 wrote to memory of 2332	1420	RtkAudioService64.exe	101
PID 1420 wrote to memory of 2332	1420	RtkAudioService64.exe	101
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 716 wrote to memory of 5092	716	firefox.exe	112
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 2448	5092	firefox.exe	113
PID 5092 wrote to memory of 3968	5092	firefox.exe	114
PID 5092 wrote to memory of 3968	5092	firefox.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\RtkAudioService64.exe
  "C:\Users\Admin\RtkAudioService64.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\RtkAudioService64.exe" "RtkAudioService64.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:716
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c375d115-278a-4f34-aa09-ef0753dd4024} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" gpu
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba5662ce-e2a7-4fdc-9afe-af1f1e657651} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" socket
    3⤵
    - Checks processor information in registry
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3008 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b426e635-483a-464f-bdb0-1b4630e5e9bd} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" tab
    3⤵
    PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3764 -childID 2 -isForBrowser -prefsHandle 3084 -prefMapHandle 3100 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f151ed85-9934-4cb5-86fb-400c9031d7d7} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" tab
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b8c7ddf-c65c-416d-be52-09ece6c9c922} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" utility
    3⤵
    - Checks processor information in registry
    PID:5248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 4836 -prefMapHandle 5488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {475bd1db-9f9e-4944-9749-741be24a3d07} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {745f3174-6422-4f2b-8763-7e4fa028daaa} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5604 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e07b040-f079-4cba-b2e0-e1eb729ea27d} 5092 "\\.\pipe\gecko-crash-server-pipe.5092" tab
    3⤵
    PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
3acbc0e6ec70cdb33d01b2f2e53953b8

SHA1
57ce4d0bdb7a968ed4f997c21414e4d62110c815

SHA256
c2664d155c2f5c38c7df6a217a21dde0c36c26c5d8f575132e7a45698ccd8a84

SHA512
253180875a78485e610b8baf92cc5b1c11993efb3397d5b2d200145a8d47dc734b348ff36b22debba8edadd6c97b0f83330fdf317410e8b42dc04e0badc1f589

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

Filesize
6KB

MD5
b2238d2ed4aab58d1e76bf97e2e78092

SHA1
9e7285c9d4277ab5917421174f55e5d91895ec7d

SHA256
a9c1226a8d31770460c4ff0ab195f9801d6fdd951f17be314192dbe60943b357

SHA512
0e50521fd68baf8a3f5d37308916dfe58edcaf7f2cb2ead061d5a076eb48ab6982417a40f07c010300e66c271cf4b4f1a5b91690aa3d456b97d2c7591aeaf52b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
156d95d699b2cf842f2fac01c36c1e11

SHA1
83def25b4c3b02c1bf25605bb6429428961e48d1

SHA256
fb784c323a8502fc58ac4a6733edef6238432ea7a80357d2930000cf3800f5a2

SHA512
fca004b3d874f21ddc2c935e877bfa5fb39733253da69692e69982b2d8ff41087767416195f5fcf33d327c2cdb44bd739e6596e3508a4e83dea5e878ce0b4bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
39d731ecccd16745b908afa247cc2715

SHA1
cc4053dec83da80087dbf06e1747cfb65726de50

SHA256
28c45a5187740d0b7e9218091d4d180ff185d73a7d076e838648b691f6d645f2

SHA512
3bee14e880cb23cb463605a5f5576be4714483880086bb3c7a2f2856fd0597c11f8ab1c16fa4e53087433f6638eecaf8ba6b447176119d86f340d28f4d79621e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\277e3d9f-1595-4214-99ce-7de7adf340c2

Filesize
28KB

MD5
adcfaeb6f3893b89dd86473e2bb9c5a3

SHA1
70bc48f45e3c9a8a87ed85c0512862aaf5a48b1c

SHA256
e8989278edef46afbd880e60f2175e1945639b4770e9d3a0027ec634e51355f4

SHA512
aeafa23de8986515ccac2226f7ceacff9c033b46bb7fd5d4a8b40e712400901bae6f6b072c087ffc0c6493bad5e882a87e52989577f052ecea5c7619b2c02c32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\c052a38e-7886-4601-854b-a6cf7a8b144f

Filesize
671B

MD5
a2070269b0549d244c68b478cabda535

SHA1
54ccf4a05d172db8043eee489c6f7c2b626572ed

SHA256
de12b3c7f0c5fb245a19c493c279b0c5c07c63f25b09da8b2cc81f6dfc852f8a

SHA512
f2e3e7796e58cbe331bb9585ca1d49b38c5fcfbb6aa1e841e03a435c5bf4a343f806c7301d90004109591f9e2cc959869006a4327d0de8f211c3178fc86d3db7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\e7fc5e92-30dd-4a68-873a-6cc3db667a6d

Filesize
982B

MD5
43171f56bc403cf19f394c722fb46fd2

SHA1
33875a4e526b89cc2e0632da2299fcc4e68bf4a2

SHA256
ff06dcec7b08b7ef5fbb005c09960f2f470efa116b35bbe5df4278907ee82f28

SHA512
1afbc51437c02beb9b81d9f535ac310d59fd49844e6368bf594f1703e53e4ab49348a7cb7512bf74197f3ff726e7695082613dea41ad44855edd124d2c57c148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
10KB

MD5
0da70a2950867fa5f46c337e6cf98048

SHA1
1c2a087d5f2fb8cd83eeb30e6d94ab3bdbd785bf

SHA256
4fa2af31e36e93cf3e8d481b03d102011cc64597da4c911663e7232c9561dfa9

SHA512
eee04284b96c9965b2db75a1138a4c2ad1a0b0fa35b0fa82bd55631b26f4d26ac7a9ff7c4894d87d38fc7acd45af2e7067985ffe8e7e189c8fcd49425a8ab9aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
10KB

MD5
c45bf5b04250c24d804048d69c8e4935

SHA1
3429414b09493bca3b928f49b4ff45f4c212e7a0

SHA256
52976f9147e498738df21f5901eb2f1fe6c4c1cbf538bc69ed1d0fb1ced36f69

SHA512
099a299736580bfa6ec6a497941f374421fbafa1c425b91ef1ff6eeba05ab6adc00914a36f3cdb17ef40d2c4b7fc45d90711c1666259104428e33524984bdab4

Download Submit
C:\Users\Admin\RtkAudioService64.exe

Filesize
37KB

MD5
e08d7967557238a0ee488e405f7865dd

SHA1
b4428239dff65be117076a6d2169c1f5488e098e

SHA256
3ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4

SHA512
f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81

Download Submit
memory/1420-34-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1420-35-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1420-33-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1420-23-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1420-21-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4964-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

Filesize
4KB

Download
memory/4964-22-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4964-2-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4964-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download