Analysis
-
max time kernel
98s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 12:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/sj2kyc9q925g6hg/Krasus+Bootstrapper.rar/file
Resource
win10v2004-20241007-en
General
-
Target
https://www.mediafire.com/file/sj2kyc9q925g6hg/Krasus+Bootstrapper.rar/file
Malware Config
Extracted
njrat
im523
Krasus-Pc
mingrelian.duckdns.org:4444
cf0442d73ab4fa4b3573bef8feb3ee75
-
reg_key
cf0442d73ab4fa4b3573bef8feb3ee75
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4696 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Bootstrapper.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf0442d73ab4fa4b3573bef8feb3ee75.exe RtkAudioService64.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf0442d73ab4fa4b3573bef8feb3ee75.exe RtkAudioService64.exe -
Executes dropped EXE 2 IoCs
pid Process 4384 Bootstrapper.exe 2732 RtkAudioService64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf0442d73ab4fa4b3573bef8feb3ee75 = "\"C:\\Users\\Admin\\RtkAudioService64.exe\" .." RtkAudioService64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf0442d73ab4fa4b3573bef8feb3ee75 = "\"C:\\Users\\Admin\\RtkAudioService64.exe\" .." RtkAudioService64.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf RtkAudioService64.exe File created D:\autorun.inf RtkAudioService64.exe File created F:\autorun.inf RtkAudioService64.exe File opened for modification F:\autorun.inf RtkAudioService64.exe File created C:\autorun.inf RtkAudioService64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkAudioService64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 msedge.exe 2664 msedge.exe 4984 msedge.exe 4984 msedge.exe 2144 msedge.exe 2144 msedge.exe 3136 identity_helper.exe 3136 identity_helper.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe 2732 RtkAudioService64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2732 RtkAudioService64.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 2264 7zG.exe Token: 35 2264 7zG.exe Token: SeSecurityPrivilege 2264 7zG.exe Token: SeSecurityPrivilege 2264 7zG.exe Token: SeDebugPrivilege 2732 RtkAudioService64.exe Token: 33 2732 RtkAudioService64.exe Token: SeIncBasePriorityPrivilege 2732 RtkAudioService64.exe Token: 33 2732 RtkAudioService64.exe Token: SeIncBasePriorityPrivilege 2732 RtkAudioService64.exe Token: 33 2732 RtkAudioService64.exe Token: SeIncBasePriorityPrivilege 2732 RtkAudioService64.exe Token: 33 2732 RtkAudioService64.exe Token: SeIncBasePriorityPrivilege 2732 RtkAudioService64.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 2264 7zG.exe 4984 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4984 wrote to memory of 332 4984 msedge.exe 83 PID 4984 wrote to memory of 332 4984 msedge.exe 83 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 1144 4984 msedge.exe 84 PID 4984 wrote to memory of 2664 4984 msedge.exe 85 PID 4984 wrote to memory of 2664 4984 msedge.exe 85 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86 PID 4984 wrote to memory of 4052 4984 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/sj2kyc9q925g6hg/Krasus+Bootstrapper.rar/file1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa302e46f8,0x7ffa302e4708,0x7ffa302e47182⤵PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5856 /prefetch:82⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:3364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5416886117082129281,10740470477137279063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵PID:4584
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3792
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19480:100:7zEvent143991⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2264
-
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Users\Admin\RtkAudioService64.exe"C:\Users\Admin\RtkAudioService64.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\RtkAudioService64.exe" "RtkAudioService64.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4696
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5d55c1b77503159ed1475c15c9ff94346
SHA13ad4678c181cb50eb956c44a31d9e5f7bf02af5c
SHA256bb15fee028107eac4525a7a1b4dc23c3a4a6bf12049c8544ff4bd10ebe1ed115
SHA5129d40404da10adeb981fecd21e4ca49faeafb0bfa6d0b6951a2037780cb19c630bb3306e0302baba589b51bb6c93ae5092b267ce8cff5977ec347530b3ac40bbd
-
Filesize
4KB
MD5498641331f9d6b99d3dee9939a9f2a0f
SHA118ef8c65ae84d70acbf113617f3bad38ac5f7e72
SHA2565933e87e7262702401ab3c1c6fb6d6df1658d5358468ecffcbce115ba94c193b
SHA512365ad413d3a3d11f100fe908f546aedb07c75f03b68c05e7d49acf356f168ccebd3a2d92ec49c8af25166a444def6d190bc63ad5eb8ae36bede7f1439de7174a
-
Filesize
8KB
MD508dc3c5f6d77f424bd6f3c96da9e6c90
SHA18cf88b0b1cbb4ef486481912e412c97f7b09c3ae
SHA25684d2a68b7a139afe85382659da3c26beb3c8c48e35a3bb8592a9c70a08667c27
SHA5120e73f740184e15e0c03b590b0010842aa972a4fc8d1b08cf341364ac77e42c4320dc47d92c4bd41f5600392ecbca919422b4fd8cfb6a5f37b566bcd3b42bf074
-
Filesize
5KB
MD52d5d47a59b31514e03432525dde025f3
SHA10d8010837edbb76bdd5dc9c7884bb35d58a5a610
SHA256899072111de1f6bd832dc29d8a9afdfd31c9ad3c8734da2a4a95d8127f02fa55
SHA512f197b4e914a7721396a7ff32f40881fef9fecb92aad70f7964b52ed82cd3a77236a454caae6c298527083f3177edf9d0d233cb9143a4fbed6a175b6c114b0f3c
-
Filesize
8KB
MD555a66722087ba24f91bacec52c225e64
SHA1c1c2b78c3cb6844eafa196759d7976796aca7414
SHA2560c87404db7835bf9685d8129b6688554ce46cf788fdb92df0faa17d633ff6666
SHA512cb6470095c1f9f46ccffbde0f0c6c190554da71545ec61cea5e05c79096942e5e78ec790956cf727165a1bb457dba13487ecff56def1486933d6848414af431e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD51728be57c55a4fa7e988eb03af6b6934
SHA1361442db9b8d080c970664392b480fc740eed39e
SHA2560bbadc22c87d1766324645f0dc58e62be6f9c4b5d31c2f2518edfff537e7975d
SHA51259a766b291e1128438a8cde9f67b897fbabfc68857ec3919033446a62bfcb79df4dcb9408046b61f68d6fb496711c15d793b34924a27c82b5d17cecfe229ae8e
-
Filesize
10KB
MD5a96259f95dd17e98b256042823ab37ed
SHA1dec06983eee14bac3bef62562361a9c3a49f6171
SHA256570c5ed0a444084aa16cddccbe132ca3bd66032b39d9eb3580eb01d86928c166
SHA51208018c28a1ce329c344f578f6e4f17f44d88cd7db2604b20d4377a92e32029f19e154b5014e5819e3d8432a80b278977b6f1bdda7caf081b055c0c98fa1ae5d1
-
Filesize
10KB
MD5a67de6a66b013d6eb1640a5733783f25
SHA111d0f0269b74e1d23d2d59eb2650a7ce39862a9a
SHA256fc62cfa01a1efd2ba49a686a4812a66cdc47085462a4b489ee2d3f5e438d9817
SHA5121246259723c3073ee6f2a3affb3b294181072e92e972f742cff46ca972861b5dd209b7a187566e3e5b5d37c9892e8d86d61595bed5ba0f313e4970b019645805
-
Filesize
37KB
MD5e08d7967557238a0ee488e405f7865dd
SHA1b4428239dff65be117076a6d2169c1f5488e098e
SHA2563ba9088ef4662608ccdb45a1333d4a5c9970fa90acdfdff4787233b8e4aa23d4
SHA512f9d197250afbdffb9d7081f87b94687d1cd7d53f7901e0b402444f5e8f9c9df76b8b1ff25d44246231468de3a13bfa5b0d61755bd341bac191bef7ba0d51da81
-
Filesize
16KB
MD5c0e9d70f45376d9d3c21a9d679315849
SHA1c12b6cd3d8d3f508d2d2be27d6b93f701982e2a1
SHA256bba44b29ff112dcd2811dbd2074a12be674b56bcb82c53aa201f4c3320760679
SHA5128b807711669efff732ebd25ea274da9c0f925999f69f48ae4186b8abe4f89813d3e80c6f3930ea486ec61601c797662fda1f9722f801f578722c3637f9611d21