Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
893s -
max time network
894s -
platform
windows11-21h2_x64 -
resource
win11-20250207-de -
resource tags
arch:x64arch:x86image:win11-20250207-delocale:de-deos:windows11-21h2-x64systemwindows -
submitted
08/02/2025, 11:33
Behavioral task
behavioral1
Sample
nkth.exe
Resource
win11-20250207-de
Behavioral task
behavioral2
Sample
nkth.exe
Resource
win7-20241010-de
Behavioral task
behavioral3
Sample
nkth.exe
Resource
win10v2004-20250207-de
Behavioral task
behavioral4
Sample
nkth.exe
Resource
win10ltsc2021-20250207-de
Behavioral task
behavioral5
Sample
nkth.exe
Resource
win11-20250207-de
Errors
General
-
Target
nkth.exe
-
Size
55KB
-
MD5
33644523cb6a6c01bbf2dd5c3a97aafc
-
SHA1
7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
-
SHA256
e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
-
SHA512
43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
-
SSDEEP
1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm
Malware Config
Signatures
-
Njrat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 9 4180 Process not Found -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 14 IoCs
pid Process 2848 setup.exe 1176 setup.exe 4008 setup.exe 4992 setup.exe 3364 setup.exe 1460 setup.exe 1768 setup.exe 476 setup.exe 3384 setup.exe 488 setup.exe 2716 61404fe0251941d081b0c58c6117dacc.exe 3996 MasonMBR-S.exe 3992 MasonGDI.exe 544 MasonRootkit.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\qu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ca.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\es-419.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sr.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-GB.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\et.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\is.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\gl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kok.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\nb.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Temp\msedge.hollow.7z setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\132.0.2957.140.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\pt-BR.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Extensions\external_extensions.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_game_assist\VERSION setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ja.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Stable.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2848_13383489016802054_2848.pma setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\libEGL.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mip_core.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\kok.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\internal.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sr-Latn-RS.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\AdSelectionAttestationsPreloaded\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\am.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sq.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_100_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\stable.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\beta.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\MEIPreload\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\EdgeWebView.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\msedgewebview2.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Cryptomining setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe MicrosoftEdge_X64_132.0.2957.140.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MasonGDI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nkth.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2708 MicrosoftEdgeUpdate.exe 3136 MicrosoftEdgeUpdate.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "214" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d005500530000000000 winlogon.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe\"" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationCompany = "Microsoft Corporation" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.html setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\elevation_service.exe" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,11" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 setup.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4552 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3364 setup.exe 3364 setup.exe 1588 MicrosoftEdgeUpdate.exe 1588 MicrosoftEdgeUpdate.exe 1588 MicrosoftEdgeUpdate.exe 1588 MicrosoftEdgeUpdate.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe 544 MasonRootkit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1920 nkth.exe 3332 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe Token: SeIncBasePriorityPrivilege 1920 nkth.exe Token: 33 1920 nkth.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3000 LogonUI.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4436 svchost.exe 1832 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2848 1364 MicrosoftEdge_X64_132.0.2957.140.exe 85 PID 1364 wrote to memory of 2848 1364 MicrosoftEdge_X64_132.0.2957.140.exe 85 PID 2848 wrote to memory of 1176 2848 setup.exe 86 PID 2848 wrote to memory of 1176 2848 setup.exe 86 PID 2848 wrote to memory of 4008 2848 setup.exe 87 PID 2848 wrote to memory of 4008 2848 setup.exe 87 PID 4008 wrote to memory of 4992 4008 setup.exe 88 PID 4008 wrote to memory of 4992 4008 setup.exe 88 PID 2848 wrote to memory of 3364 2848 setup.exe 89 PID 2848 wrote to memory of 3364 2848 setup.exe 89 PID 2848 wrote to memory of 1460 2848 setup.exe 90 PID 2848 wrote to memory of 1460 2848 setup.exe 90 PID 3364 wrote to memory of 1768 3364 setup.exe 91 PID 3364 wrote to memory of 1768 3364 setup.exe 91 PID 2848 wrote to memory of 476 2848 setup.exe 92 PID 2848 wrote to memory of 476 2848 setup.exe 92 PID 1460 wrote to memory of 3384 1460 setup.exe 93 PID 1460 wrote to memory of 3384 1460 setup.exe 93 PID 476 wrote to memory of 488 476 setup.exe 94 PID 476 wrote to memory of 488 476 setup.exe 94 PID 1920 wrote to memory of 2716 1920 nkth.exe 100 PID 1920 wrote to memory of 2716 1920 nkth.exe 100 PID 2716 wrote to memory of 4552 2716 61404fe0251941d081b0c58c6117dacc.exe 101 PID 2716 wrote to memory of 4552 2716 61404fe0251941d081b0c58c6117dacc.exe 101 PID 2716 wrote to memory of 3996 2716 61404fe0251941d081b0c58c6117dacc.exe 103 PID 2716 wrote to memory of 3996 2716 61404fe0251941d081b0c58c6117dacc.exe 103 PID 2716 wrote to memory of 3992 2716 61404fe0251941d081b0c58c6117dacc.exe 104 PID 2716 wrote to memory of 3992 2716 61404fe0251941d081b0c58c6117dacc.exe 104 PID 2716 wrote to memory of 3992 2716 61404fe0251941d081b0c58c6117dacc.exe 104 PID 2716 wrote to memory of 544 2716 61404fe0251941d081b0c58c6117dacc.exe 105 PID 2716 wrote to memory of 544 2716 61404fe0251941d081b0c58c6117dacc.exe 105 PID 544 wrote to memory of 616 544 MasonRootkit.exe 5 PID 544 wrote to memory of 704 544 MasonRootkit.exe 7 PID 544 wrote to memory of 996 544 MasonRootkit.exe 12 PID 544 wrote to memory of 404 544 MasonRootkit.exe 13 PID 544 wrote to memory of 656 544 MasonRootkit.exe 15 PID 704 wrote to memory of 2168 704 lsass.exe 38 PID 544 wrote to memory of 844 544 MasonRootkit.exe 16 PID 544 wrote to memory of 1032 544 MasonRootkit.exe 17 PID 544 wrote to memory of 1104 544 MasonRootkit.exe 18 PID 544 wrote to memory of 1124 544 MasonRootkit.exe 19 PID 544 wrote to memory of 1144 544 MasonRootkit.exe 20 PID 544 wrote to memory of 1168 544 MasonRootkit.exe 21 PID 544 wrote to memory of 1244 544 MasonRootkit.exe 22 PID 544 wrote to memory of 1272 544 MasonRootkit.exe 23 PID 544 wrote to memory of 1300 544 MasonRootkit.exe 24 PID 544 wrote to memory of 1308 544 MasonRootkit.exe 25 PID 544 wrote to memory of 1464 544 MasonRootkit.exe 26 PID 544 wrote to memory of 1524 544 MasonRootkit.exe 27 PID 544 wrote to memory of 1560 544 MasonRootkit.exe 28 PID 544 wrote to memory of 1600 544 MasonRootkit.exe 29 PID 544 wrote to memory of 1680 544 MasonRootkit.exe 30 PID 544 wrote to memory of 1692 544 MasonRootkit.exe 31 PID 544 wrote to memory of 1712 544 MasonRootkit.exe 32 PID 544 wrote to memory of 1804 544 MasonRootkit.exe 33 PID 544 wrote to memory of 1832 544 MasonRootkit.exe 34 PID 544 wrote to memory of 1992 544 MasonRootkit.exe 35 PID 544 wrote to memory of 2052 544 MasonRootkit.exe 37 PID 544 wrote to memory of 2168 544 MasonRootkit.exe 38 PID 544 wrote to memory of 2176 544 MasonRootkit.exe 39 PID 544 wrote to memory of 2184 544 MasonRootkit.exe 40 PID 544 wrote to memory of 2208 544 MasonRootkit.exe 41 PID 544 wrote to memory of 2216 544 MasonRootkit.exe 42 PID 544 wrote to memory of 2244 544 MasonRootkit.exe 44 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
PID:616 -
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:404
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a27855 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
PID:1104 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1244
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3148
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1272
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1600
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E02⤵PID:4032
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
- Suspicious use of UnmapMainImage
PID:1832
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2052
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2264
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:3028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\nkth.exe"C:\Users\Admin\AppData\Local\Temp\nkth.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\61404fe0251941d081b0c58c6117dacc.exe"C:\Users\Admin\AppData\Local\Temp\61404fe0251941d081b0c58c6117dacc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe"C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe"4⤵
- Executes dropped EXE
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe"C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start shutdown /s /f /t 03⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\shutdown.exeshutdown /s /f /t 04⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:992
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3520
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4084
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
- Suspicious use of UnmapMainImage
PID:4436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2108
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4256
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4040
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
PID:2712
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUFCNDBBNjktODU4NC00ODM1LTkxOTAtNUFBQjY0MThCODhEfSIgdXNlcmlkPSJ7M0VFQUExMUUtNDA5Ny00ODQyLUIwRjYtQUU4NTdDMjM2NUZBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NThBN0Q2NjAtMTQ3RC00NDBDLThFODMtNUU0N0EwRDQ0NUZDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1MTk2MCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI0NTQ1NjU5MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMTk4ODE1MzQiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3984
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\MicrosoftEdge_X64_132.0.2957.140.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff76513a818,0x7ff76513a824,0x7ff76513a8303⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1176
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff76513a818,0x7ff76513a824,0x7ff76513a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4992
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff64170a818,0x7ff64170a824,0x7ff64170a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff64170a818,0x7ff64170a824,0x7ff64170a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3384
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff64170a818,0x7ff64170a824,0x7ff64170a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:488
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUFCNDBBNjktODU4NC00ODM1LTkxOTAtNUFBQjY0MThCODhEfSIgdXNlcmlkPSJ7M0VFQUExMUUtNDA5Ny00ODQyLUIwRjYtQUU4NTdDMjM2NUZBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxQTQ3RDQyRi1DMEU1LTQxNDMtQjAxQy04N0M4OTk1QkQzMjh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40MSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins0QkMzNDE5RC04NjJGLTRFQkMtOTQ3Ni1FQzJBRTI4Q0Y1QUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDMxNjAwMzQ3MjQ0MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTEzODc4Nzk4OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM4Nzg3OTg5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDE0NzUzODIxOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5NzExJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUlpYkNnVlRmSFhjY0RFQTVHNE1RdVRzWFdJOThjNWc0d2NXSU1XSnNoUXlXYWhrSnNJQWdkeiUyZlBnYmRpUyUyYlFVUnNBaTVRSUVGUXBUNHpqVmRrTTI2dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMTQ3NTM4MjE5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYxOTcxMSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1JaWJDZ1ZUZkhYY2NERUE1RzRNUXVUc1hXSTk4YzVnNHdjV0lNV0pzaFF5V2Foa0pzSUFnZHolMmZQZ2JkaVMlMmJRVVJzQWk1UUlFRlFwVDR6alZka00yNnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjQ5NDM0MyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDE0NzY5NDMwMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDE2MTI4ODU1NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA2OTM2MzI0NjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMTEwIiBkb3dubG9hZF90aW1lX21zPSI1MDA4OTAiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTMyMzQiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins5RUYxOEVGNi1GQ0E0LTQzOTEtQkU2Ri03NzZENUIyRkZERUV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40MSIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezU5QkZEOTkwLTc2OTktNDRFRC05RDI3LUEzM0FENkVDMUY4NH0iLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2708
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{65CA0981-C664-4A91-856B-6784B9522F71}\EDGEMITMP_D32E9.tmp\setup.exe
Filesize6.6MB
MD5b4c8ad75087b8634d4f04dc6f92da9aa
SHA17efaa2472521c79d58c4ef18a258cc573704fb5d
SHA256522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf
SHA5125094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3
-
Filesize
3.7MB
MD53646786aea064c0845f5bb1b8e976985
SHA1a31ba2d2192898d4c0a01511395bdf87b0e53873
SHA256a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f
SHA512145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4
-
Filesize
850KB
MD588724406869ecbabcb710244d65577b3
SHA14030d6122d936427401808147f4868447b100c56
SHA25662850790a3675ee7fed856ac14e4b434fcef91bfa6bb642d332afeb826cc2cfc
SHA51294149277071576581ba96230173e2d5c986962810da1fbf9cf4fd72f8a58c4bb3c62366630c8953d269e1ad155e62c59ed487a3c50b3cc7799dccf3e8a49c81c
-
Filesize
858KB
MD5b4d474a4f4a7bd0af2c6c5cc0d07d912
SHA1be591c4bf0c13fc54bd38a90d8e91a898bc24d4b
SHA2569cf2b05bee1a9766ebb663bd7e1d63ca5bcef8e8ee4dcb40ae0f50bec67d1011
SHA5127a580bdb2eb544b0760eff417402c4cec2a5d1a535f5936b1c26a0cef7f9a45b35692275e7b1a7ea37918540301ddc5d591d71ab49de22e4ed46588aa8cdd82c
-
Filesize
482KB
MD585e11c1d67aec0150757e3255d8231b7
SHA19167c5ea4a23d59f38e82f128f2b1a2dbbd88cea
SHA256b6dac480e4c7f15e8de6633ee9b52b3bda0b6b2f1897a76ddb4ab0ffb76b2588
SHA512a25fcf6c359a00e5671b08dbf91fde79fe14e9720d8d8b4980584fbb32f9bba78a8cc8760e5c504fad894e34df1d2693bd1d161539ad4597df3c50c84c1c5e51
-
Filesize
147KB
MD5fd138f51961f3071e135dae4e279ca7d
SHA163a107425ab4b3515b4c6545076ac6721a459717
SHA25624f189af6d0c0af7dbdbf230183423d34d9cc3c06f55fa911145dcc19e3a6eb6
SHA512f0d596ebe25c89907018f4d5ca4635df28c7f7095c81bd4d6f6b0819301bd113fb2469d643c02b5d41f2ce523e8539c1a97a817160ee0074d6e1f0a7951e7804
-
Filesize
58KB
MD51b120dcde4b7be948179d53257c71423
SHA1efd894e18d8d9eb8b0af9e8eeaa0d44be04a7b62
SHA25634c657218a5d7702de283691e868f61c1f50ffcd9e6c6bd3f0336bda904975aa
SHA512fb5ac3cdc836926919710edb15f0e4cb54a72f74122566ac2a965efb1b36daa94cdf01b4b984203d0d4c0deb0791f65d20d675029b40fa7e1baafd3194e4dbfe
-
Filesize
161KB
MD594f1ab3a068f83b32639579ec9c5d025
SHA138f3d5bc5de46feb8de093d11329766b8e2054ae
SHA256879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0
SHA51244d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c
-
Filesize
72KB
MD519fca7d8d3146928a3cd8a66e4964cc1
SHA1580703c5c1fc3eb0a0678a8a6281de0667de9905
SHA256f575c1323849412c59b9842f563700cb48e0645e73816418c4c380be186ac869
SHA5125fda4423fd31794fd876313d8661d3b0d888ea2406e04e866e5f476071ebaa748b9230e5966f6a3c51f79d89a2d4a0726343da06de46dabd23506fc80364ecf5
-
Filesize
99KB
MD559c0e0c790cd241766831e8924d81246
SHA1e1b7e6ba31676f220b4049aa4c8614e19e857a06
SHA256f5490dbcdb47c5c87c0d30e430e00cf4073aeab90a6f3b0c49683e1b2d4bd5cd
SHA51209bd1a18fcd9b38cdc68c68c73b76d919421776aa0f20b29bb4725ce3e6d7812d5909c2a7593119d77b7d598cfbdf85772c7a9d5b5a5b0ea851e982d4bc7562f
-
Filesize
103KB
MD59bdce904059373f9db20c998399b64aa
SHA1de77952e0098814dfa98c5e3d97df2a89476e064
SHA256b214a5cb8e702e4f4a6d6759361be5ca05453e2f2390ced6fc2ab414e1fb3313
SHA512c75316d64d614b361823add1852c95e2aa676bc3e501a1562c4c67f30807d0b1bcdceead9f893895403ad65b9b680cd68e6142118bd247ef695f3bfd749767ce
-
Filesize
104KB
MD59cc01b6155b5f273a5fda5e10206d521
SHA1c243b25866e6da72628a75cce8558841618cff68
SHA25638f9fafd5d2b276b4dff4564c18259650d650bd08af32da8d34e24daa7d49d8b
SHA5121fa825aee847d754ab662d598fc67a51b58b8834016a31d126053689495fe6317e5ef90dc6ac779f344799e9b97195a5d11e86fb3ed27c2a3743da3631e2f01b