Overview

overview

10

Static

static

10

lmlmdos.exe

windows10-ltsc 2021-x64

10

lmlmdos.exe

windows7-x64

10

lmlmdos.exe

windows10-2004-x64

10

lmlmdos.exe

windows10-ltsc 2021-x64

10

lmlmdos.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-02-2025 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lmlmdos.exe

  • Size

    23KB

  • MD5

    5eb67cac2f9ef8a548ba327896909cda

  • SHA1

    b8f3612f2d00c581387b02a615ad178874b51329

  • SHA256

    f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

  • SHA512

    40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

  • SSDEEP

    384:XweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZQy:oLq411eRpcnuI

Score
10/10
njratadwaredefense_evasiondiscoverypersistenceprivilege_escalationstealertrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe
    "C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:664
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzdFODkxMTQtMDNBRC00QjFGLUE1QTAtNUM4NDJEQTUwQzQxfSIgdXNlcmlkPSJ7RjRGQUNENzgtQTYxQS00RDQ0LTk2MEItRkVDQjBGMjI0NDhFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7N0FCMDFDNDgtMkFDRS00RUNDLTlCQ0UtQkJCQzk5QjYxNzc4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDIxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzAxODEwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg4MzQwNzYxNyIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1996
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2744
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff75e03a818,0x7ff75e03a824,0x7ff75e03a830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1660
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff75e03a818,0x7ff75e03a824,0x7ff75e03a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:3436
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7636fa818,0x7ff7636fa824,0x7ff7636fa830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2688
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7636fa818,0x7ff7636fa824,0x7ff7636fa830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2612
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7636fa818,0x7ff7636fa824,0x7ff7636fa830
          4⤵
          • Executes dropped EXE
          PID:3336
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzdFODkxMTQtMDNBRC00QjFGLUE1QTAtNUM4NDJEQTUwQzQxfSIgdXNlcmlkPSJ7RjRGQUNENzgtQTYxQS00RDQ0LTk2MEItRkVDQjBGMjI0NDhFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4OTczMzk3NC04ODdELTRENzctOTFCMC0yODYwRkI4QkIxQTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjE4Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezJDQTM2MzE0LTBBMUQtNDQ2OC1CM0Q2LThBOEI5NzEzN0Q2NH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTEzMjk2MDkxMTIwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODk3NjI3NDg4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4OTc3ODI4MjMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NDUyODMwMjciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYwOTA1MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1SaEZxdmZ3RE02QUpJZTRZVkFLWmkwZXc2Q3BPTXRvSXJHWkdiWmtLWFJPS0lFczExUGxnJTJiREJRZjJqWll2SGZhYjlrVVlCWG1EbDNGenhaYkJDZzlRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ0NTI4MzAyNyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MDkwNTEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UmhGcXZmd0RNNkFKSWU0WVZBS1ppMGV3NkNwT010b0lyR1pHYlprS1hST0tJRXMxMVBsZyUyYkRCUWYyalpZdkhmYWI5a1VZQlhtRGwzRnp4WmJCQ2c5USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNDg1NjIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ0NTI4MzAyNyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDU4NzIwOTA4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MDA1OTA4MjY5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTIyIiBkb3dubG9hZF90aW1lX21zPSI1NDc1MCIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1NDcxOSIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0U3MDY5N0MzLUU4RjUtNEE0Ni05N0ZFLUY4NEIxRDM0MTRDNH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjYwOCIgY29ob3J0PSJycmZAMC41NSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3RjdCRkY3Ny00RkU3LTQyNTctQkNGQy0yQTM3MDM5NjUxM0V9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F46FF5F9-8036-4BCD-B33C-93E78B0C6161}\EDGEMITMP_8FD83.tmp\setup.exe
    Filesize

    6.6MB

    MD5

    b4c8ad75087b8634d4f04dc6f92da9aa

    SHA1

    7efaa2472521c79d58c4ef18a258cc573704fb5d

    SHA256

    522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

    SHA512

    5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

    Download Submit

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
    Filesize

    472KB

    MD5

    508038d4dfac872cde5ce6a0bb65d53d

    SHA1

    1e57029e937fc0329a9fe1f0eb4440eb835d7b98

    SHA256

    93c6f7608d42e3bff1654e7fbdd7083ad65f3cbd2e32176be2524c63090bb1b2

    SHA512

    2cf0ebee8e4ee78e6592cf6fb94182324ef2090cff6cc7206904eecc224543ac2d376b85112caa073545c0d62d21442982294402d75bd473bc4ee5a3a3aafe6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    23KB

    MD5

    5eb67cac2f9ef8a548ba327896909cda

    SHA1

    b8f3612f2d00c581387b02a615ad178874b51329

    SHA256

    f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

    SHA512

    40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    71KB

    MD5

    98e52598f381778516c1d599668772c4

    SHA1

    899fbf262acf83c79cca3fe8d848339b7e7ac1ac

    SHA256

    e13b5d1910ac7b360432ad40274c4f353f6e9702e050f79ee772538844d65111

    SHA512

    8e97ebbe8efb3033810c03e26dc74fa5952ed16ba6955e1d1270b058f965e362d4ba46ce51434504a594331668dd9db530675ca0d2eaa9914262c8ff2888d41b

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    95KB

    MD5

    db3b554169e5b058ae24b33f159408a7

    SHA1

    b648ea0a1545b9f81dfec37f64eb0635db935585

    SHA256

    a39170e715a2c80108890f630507a1e1a4d89a7ca7b44afa08990ab020725c60

    SHA512

    b2c2b0cb3cb09a993ed8deff19c953ef422d6ca25ca31eb20027cadea13230dc9254058af551f035b96c7300452bf72b029cd3b1bb9c1cead0a5604a4e3da0c7

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    100KB

    MD5

    1efee101349ec8cf94a5f37067d43fc7

    SHA1

    d356f6339378ce0abd3b75e6e3fed3e105186cff

    SHA256

    a70eacfad928dfd1e207854130e7e397f67c8517a148e2da865c86f73bec4347

    SHA512

    b36501f9f0c8e0f8d27eeccb4fbb98ac6f17edaa09162e459132836b6bb98ebbd189708e63939c99403e504fa8089842414f2f6d6ffee1066edf8ecf5a161539

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    101KB

    MD5

    ab3461a803af9b7dd972996e2400764c

    SHA1

    d9d6d72bbd9b39805b2269aab2b8c4a22906c9c9

    SHA256

    c5518d180b90744ea96036831623044820b98bfe90486f06f0d9f246fd79bbf3

    SHA512

    f1edea14b4a496e294aacb6a3a98d6d77011c43c8ccc7057bc9d25d6b33cd90fba46ef729ebd0eac2b8d30bd36510062ac360e53285c586c19b5978e43a8a745

    Download Submit

  • memory/4232-19-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4232-21-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4232-18-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4232-15-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4232-17-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4844-0-0x0000000074842000-0x0000000074843000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4844-16-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4844-2-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4844-1-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download