Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

nkth.exe

windows10-ltsc 2021-x64

10

nkth.exe

windows10-2004-x64

10

nkth.exe

windows10-ltsc 2021-x64

10

nkth.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    898s
  • max time network
    900s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-uk
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-uklocale:uk-uaos:windows10-ltsc 2021-x64systemwindows
  • submitted
    08/02/2025, 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nkth.exe

  • Size

    55KB

  • MD5

    33644523cb6a6c01bbf2dd5c3a97aafc

  • SHA1

    7fd0d35a09a32693d30ffdb49ecd69c1229d2a20

  • SHA256

    e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

  • SHA512

    43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b

  • SSDEEP

    1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score
10/10
njratadwarebootkitdiscoverypersistenceprivilege_escalationstealertrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nkth.exe
    "C:\Users\Admin\AppData\Local\Temp\nkth.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\ccbad7bf075c4c84b39a7467b3be3592.EXE
      "C:\Users\Admin\AppData\Local\Temp\ccbad7bf075c4c84b39a7467b3be3592.EXE"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        PID:3988
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4516
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB0B.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3580
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4948
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0RDMEJDRTEtMzM3OC00NThGLUJGODgtMTU0QjlFRTczQTVCfSIgdXNlcmlkPSJ7Mzg5MDhGMUMtMTczMy00Njk1LUJDNTUtQzIzMjIwMzQzN0QyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDlEMTU3QjMtMzgzMS00RjkyLUJCMTEtNDQ1NEYxQjhCM0FGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTQ0IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDgwMzc1NTYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk5ODY3MDgxOSIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2788
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3596
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff76d70a818,0x7ff76d70a824,0x7ff76d70a830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2528
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff76d70a818,0x7ff76d70a824,0x7ff76d70a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4548
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff61f57a818,0x7ff61f57a824,0x7ff61f57a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:5088
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff61f57a818,0x7ff61f57a824,0x7ff61f57a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:5052
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff61f57a818,0x7ff61f57a824,0x7ff61f57a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1448
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0RDMEJDRTEtMzM3OC00NThGLUJGODgtMTU0QjlFRTczQTVCfSIgdXNlcmlkPSJ7Mzg5MDhGMUMtMTczMy00Njk1LUJDNTUtQzIzMjIwMzQzN0QyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5RERGNzMyRC0yMjNCLTRGQzAtQjFFOS1GOEYyNjAyMDJDRTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjQxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezkyRTJGREE2LTRGNUUtNDlEQS04MTVDLURBMDdEMUQxQUM3Q30iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTc3OTY2MDkwMjgwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDEzMDQ2NDIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMTMwNDY0MjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNzA5NDM1NTc0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MTkzMDImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9TmwzRUE0dFFJcWZkU3VaczUyb1RGdloyanBOVnhOa2VWJTJmUUF5T3Z6bG9KQUx5TVNpMUE0blBoOXBrUzMwdnVHMElwRzJxOExRRk13MjU4V1FqQmlJZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTcwOTQzNTU3NCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MTkzMDImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9TmwzRUE0dFFJcWZkU3VaczUyb1RGdloyanBOVnhOa2VWJTJmUUF5T3Z6bG9KQUx5TVNpMUE0blBoOXBrUzMwdnVHMElwRzJxOExRRk13MjU4V1FqQmlJZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjEyMjAxMTcyMSIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iMzUxOTA0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNzA5NDM1NTc0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYxOTMwMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1ObDNFQTR0UUlxZmRTdVpzNTJvVEZ2WjJqcE5WeE5rZVYlMmZRQXlPdnpsb0pBTHlNU2kxQTRuUGg5cGtTMzB2dUcwSXBHMnE4TFFGTXcyNThXUWpCaUlnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iMTk5LjIzMi4yMTQuMTcyIiBjZG5fY2lkPSIzIiBjZG5fY2NjPSJHQiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iSElUIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iMzExNDM4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNzA5NTkxOTQxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNzIzNjU0MzMzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjI2NzA5MjQ3NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjEwNjIiIGRvd25sb2FkX3RpbWVfbXM9IjY2OTY1NSIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1NDM0NCIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0NDQTA2NzRGLThDQ0EtNDg1OC1BNTgxLUNGRjM4Q0YxMDcyQn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjYwOCIgY29ob3J0PSJycmZAMC45MSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswMjA2QzY1OC00NDVDLTREQUItOEM2Ni04MDJEREVBOURFRjl9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A1AA8C30-83E2-4CF9-B2F4-0311A7151D20}\EDGEMITMP_1A0BC.tmp\setup.exe
    Filesize

    6.6MB

    MD5

    b4c8ad75087b8634d4f04dc6f92da9aa

    SHA1

    7efaa2472521c79d58c4ef18a258cc573704fb5d

    SHA256

    522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

    SHA512

    5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

    Download Submit

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
    Filesize

    778KB

    MD5

    2f4e1c519d200e6f9312d06b0c734c6f

    SHA1

    19654bf4c5d5303a7fca9429aedd76a123488f1c

    SHA256

    53691cd786cb3aa664a171177d35a2d2c68861df0326fbe9106205966e24dd02

    SHA512

    5b9442ea3fd630eb09e83a9ba01a57b006c2c2ed5b7f22ca928badd6e19b4dfc41f81f4b70411a1641b402b4c3e82af47361d1e1ad7669d71b8a82c4241342a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
    Filesize

    150KB

    MD5

    e8a16450f1f658e2a216317eeab1ea49

    SHA1

    19b26d056d24b1e00933a104a8e320ba52c9c1eb

    SHA256

    6c0ffa7412a2aecdd253d12481460a4dd3ee02d912c3ee4d2124274e12add8a5

    SHA512

    93f952c4891eeb62a90b969973dcd5e5ce85b6d020b96f2520a5fcd47b21a4c6ccf9512d2c935c4dc3557b184a32d8b0623b342a1344b48fba24b6944749db98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ccbad7bf075c4c84b39a7467b3be3592.EXE
    Filesize

    241KB

    MD5

    8964489afcdf25c4eef3aea0e0c9a872

    SHA1

    656485b929fd67c26f733ba6e85525d76c8f9791

    SHA256

    6b4840400cf2f697ce98a66af37497447278ffef8dcac35182726154146ea066

    SHA512

    3ff73c9c910e1f30c9235501864e79d6ac4bc8fafbb62191edca0b4f5ad5c6a46efce9065c2cf169775b83954085d79d2cb45d6f4be8fdbb85a6163f98fecfab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFB0B.tmp.bat
    Filesize

    184B

    MD5

    58d9a9ccc412070d6d8268a81030e4fc

    SHA1

    7be97c936b7db5d8c48d12a4f05bab10b62eea90

    SHA256

    0c026f9657b41f9c60861798ccb4e8abc85a86ed7c79f7c6d9c268c583207a4d

    SHA512

    222d7b456d9569114c3401dd3dde2b0593255dac434c409e532da6f9f4406ad4ce1fe874a46dee97c7f0ebc5c6f79c6dad863d6c3b3b4f3572e01e6c9fed50d3

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    71KB

    MD5

    f9f47c2b9bba37d7573632f57154455d

    SHA1

    13195adf3f9023bef79c8a7b273736342b98475f

    SHA256

    de610c822ba411769dfe1210c0b40a3c3b5d1dd019d757d216474a6562ebd430

    SHA512

    d71b35230a2c71499bb436c06d57ca0e46f47ba8c0577e9f458ce2a1634726cee03a5b1b55b6148028dbbcb705e133aa672acde811856af510938a8d0d040b59

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    99KB

    MD5

    b57ff8ac888c371e8ef452022eb0942c

    SHA1

    798a842d5afb2203622a68f25f0a63e6c866f0b1

    SHA256

    49d61a4cab783b84a750d5c497dc27615d584f44d69d68091819e5178ab444f7

    SHA512

    559bd16cd2462dc11706b186b3c3ad14fd82b28c7979591d7cb4f1d38d15ddc898a4eaec045229a930c6cad352727b970d70bd87c41849fab82a6dbe9f8917da

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    100KB

    MD5

    7a0de5ea93336ee150658d6017938da9

    SHA1

    1f20b5614e96cdd6c2c6c02b84f10bffbded7977

    SHA256

    79ae88c6384b42b4495f46c481081d5614223057ce02b7e2babce18a2adcd447

    SHA512

    9dab2ac56ad8bcd6a29f8abcc75964434129c6a2e164891ddbc4cfc83057cb00198bd2fecde3ae4893799b30038de4a30bac8194defdabd5a278be163c9820ba

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    101KB

    MD5

    d5eeccb41505a63d04482e7c1286ccaf

    SHA1

    8189ea3cb507b1163e3091d9b9b7350c9f2efecf

    SHA256

    79cc34e7ea4fbae2af40f6cc150e1024939e66f52e9fe1ceb618ad1e53e21dbb

    SHA512

    c335b5a43ab0271d91e33fc280de9ca8cfd42256bf010c7b25888258518056365758c80a7c53be51d5c74a01c6859735be9eca42ab8b82e5c4a9e388db39b26e

    Download Submit

  • memory/2988-4-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2988-8-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2988-6-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2988-0-0x0000000073E02000-0x0000000073E03000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2988-5-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2988-3-0x0000000073E02000-0x0000000073E03000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2988-2-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2988-1-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3552-26-0x00007FFE69AE0000-0x00007FFE6A5A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3552-49-0x00007FFE69AE0000-0x00007FFE6A5A2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3552-25-0x0000000002E20000-0x0000000002E36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3552-24-0x0000000000C70000-0x0000000000CB2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3552-23-0x00007FFE69AE3000-0x00007FFE69AE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3988-50-0x0000000006150000-0x00000000061E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3988-52-0x0000000006350000-0x000000000635A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3988-47-0x00000000058C0000-0x0000000005E66000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3988-44-0x0000000000A10000-0x0000000000A3A000-memory.dmp

    Filesize

    168KB

    Download