Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    900s
  • max time network
    900s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    08/02/2025, 11:33

General

  • Target

    nkth.exe

  • Size

    55KB

  • MD5

    33644523cb6a6c01bbf2dd5c3a97aafc

  • SHA1

    7fd0d35a09a32693d30ffdb49ecd69c1229d2a20

  • SHA256

    e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

  • SHA512

    43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b

  • SSDEEP

    1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Malware Config

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nkth.exe
    "C:\Users\Admin\AppData\Local\Temp\nkth.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe
      "C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3144
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzMzAzQ0EtRUQ4Qy00MjQ3LTkxRTMtRUIyQjNFQjQwMjYwfSIgdXNlcmlkPSJ7OTQ2QjVFNUUtN0Q2Qi00QzU2LTlFMzgtM0YzM0I2OTdGMjI5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDYyQzBFMEUtQzlCNS00OTZGLTgxNDktMDQ3MTNEOUUxM0FCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzYwODA5MzYxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2164
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1456
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a9ca818,0x7ff75a9ca824,0x7ff75a9ca830
        3⤵
        • Executes dropped EXE
        PID:5068
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a9ca818,0x7ff75a9ca824,0x7ff75a9ca830
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:728
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a830
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:4560
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a830
          4⤵
          • Executes dropped EXE
          PID:1840
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a830
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:1324
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:1048
    • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
      "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
      1⤵
        PID:1712
      • C:\Windows\system32\wwahost.exe
        "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:636
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzMzAzQ0EtRUQ4Qy00MjQ3LTkxRTMtRUIyQjNFQjQwMjYwfSIgdXNlcmlkPSJ7OTQ2QjVFNUUtN0Q2Qi00QzU2LTlFMzgtM0YzM0I2OTdGMjI5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFNzlDNjVBQy0wMDFGLTRGMzQtOUQzMS1CNEU4Q0MwMjQwODB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuMTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0E3N0FFN0UtQkVEOC00RTA1LTg2ODgtRDUzQ0RGMDlCRkRCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyOTY1ODY5ODgwMDAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MTkwOTA4MjEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxOTA5MDgyMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMzgxNTI4ODQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYxOTMzMyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1OWm8lMmJwZiUyZk5VdGFkY3RORWVodlNuMzllajFZclJGbzc0enRTOEUwN1pJQ1lmTnlJR2pDMFE0dlNzJTJmMnpXeTNPZlRmYzViYU1HN2lXJTJmZG5Wckp2b253JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMzgzMDkwNTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PU5abyUyYnBmJTJmTlV0YWRjdE5FZWh2U24zOWVqMVlyUkZvNzR6dFM4RTA3WklDWWZOeUlHakMwUTR2U3MlMmYyeld5M09mVGZjNWJhTUc3aVclMmZkblZySnZvbnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9Ijc4NTc1MCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzMzODMwOTA1OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzM1MTU5MDY3NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4OTI2ODQzNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0MjUwIiBkb3dubG9hZF90aW1lX21zPSI3OTE5MjIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTQxMTAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MTNBQjhDMy05QkQ3LTQxMTAtOTlERi1ERTk4MjNFN0RGMTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTBGNjIyOEEtMjhEOC00OTk1LUFGMUQtQjIyQUFENEVDNUU5fSIvPjwvYXBwPjwvcmVxdWVzdD4
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:1352

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe

        Filesize

        6.6MB

        MD5

        b4c8ad75087b8634d4f04dc6f92da9aa

        SHA1

        7efaa2472521c79d58c4ef18a258cc573704fb5d

        SHA256

        522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

        SHA512

        5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

        Filesize

        3.7MB

        MD5

        3646786aea064c0845f5bb1b8e976985

        SHA1

        a31ba2d2192898d4c0a01511395bdf87b0e53873

        SHA256

        a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

        SHA512

        145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

      • C:\Program Files\msedge_installer.log

        Filesize

        70KB

        MD5

        1c4c7389dd7aafd8a2a70d36fbe70e6b

        SHA1

        3d3d9782801aabf1a1edcb6eb534e12225512fbc

        SHA256

        e7ab642d43b762d440ca99bd4925fdd5eca57c7469272a22b69cf440efd46588

        SHA512

        470071942572f174477e10db9f8940cb63da4213eca52f82bfc5e1bf2dbcd553b92f2e3e5022b39609e7ca3efe2c8debd20143fbe24b58350a5c18a4577aeddc

      • C:\Program Files\msedge_installer.log

        Filesize

        96KB

        MD5

        7daa9cbe5c885bd3fcbc95e0cc5ccc65

        SHA1

        72498815de2fab7baafde293695edea77c5699d5

        SHA256

        43c71151812126c7113a6df8c28251e012a48c5aa9a4949526d9c36c55c1a8f7

        SHA512

        6b8e63ec4823100dc83b5566f28a88116d4271b4a4a58de0f78d1184a891c87271cc245e23e0801d7a354de295834d3b8781f6bec1b6de525f84ebbfa75dd4d5

      • C:\Program Files\msedge_installer.log

        Filesize

        101KB

        MD5

        ef041b93fe3647aa894c7dd271998dde

        SHA1

        d1e8bcb08e7be75b71d9066a0efcad980846c949

        SHA256

        ea03ce086b39dbb8a8930d6f8faf31b204202cf16715b6104974b041fdeb204a

        SHA512

        08fc5f4c4b2b041c5a4b647b883d0444fcd967f382eb384bebe5ac98c4da5f59dcad9e15c95602ff810b7f27f708d8bd0a69e005fa05157da66224771e029310

      • C:\Program Files\msedge_installer.log

        Filesize

        102KB

        MD5

        d1bab77678c3cf29a239e62c09a7a406

        SHA1

        a103b45f4b6d715d10db72fb0c285937a88f2748

        SHA256

        f8971aa2fe297a0b44bf19603b7b7abeae6d4549a4543e3da9516da49d9740a3

        SHA512

        784e11bdac9e669cd48e008ab5a43e7f9b07399d4d598324b156342f183a9bf08fb56cb83c05c9aef236c6b1c1e8e359b7c8b642711ab7a6aa64c6c22da0f42a

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

        Filesize

        1.3MB

        MD5

        5e700bc9ace8593aaff634e63ec48017

        SHA1

        1916226b9f1a53cbc627412ad5b8199c69cf0566

        SHA256

        697e76a8c63793dabc98fbbd221321406444f3dfb67c7cb727f7cb71b20de5fd

        SHA512

        f5a18f71e8d3625bf2b50922dbfd656456147fff2aae717e86c23e083cc684d43f00270c0f540fc61a2c32e0b1aea2ffdc44436d4bb7cb77586f50e6e307f338

      • C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe

        Filesize

        16KB

        MD5

        683bcb1f86f4410931abe39a63eb7057

        SHA1

        d338aac5ff479fc94d3c840e862665de1dac8c8f

        SHA256

        c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

        SHA512

        60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

      • memory/1712-90-0x000002126B370000-0x000002126B5B9000-memory.dmp

        Filesize

        2.3MB

      • memory/1712-89-0x0000021269DC0000-0x0000021269DC8000-memory.dmp

        Filesize

        32KB

      • memory/1712-88-0x0000021269D90000-0x0000021269D9A000-memory.dmp

        Filesize

        40KB

      • memory/1712-87-0x0000021267BC0000-0x0000021267BCE000-memory.dmp

        Filesize

        56KB

      • memory/3144-24-0x000000001BF20000-0x000000001BFBC000-memory.dmp

        Filesize

        624KB

      • memory/3144-21-0x000000001B900000-0x000000001BDCE000-memory.dmp

        Filesize

        4.8MB

      • memory/3144-19-0x00007FFFE85C5000-0x00007FFFE85C6000-memory.dmp

        Filesize

        4KB

      • memory/3144-25-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

        Filesize

        32KB

      • memory/3144-26-0x000000001C1D0000-0x000000001C21C000-memory.dmp

        Filesize

        304KB

      • memory/3144-28-0x00007FFFE85C5000-0x00007FFFE85C6000-memory.dmp

        Filesize

        4KB

      • memory/3144-29-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

        Filesize

        9.6MB

      • memory/3144-30-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

        Filesize

        9.6MB

      • memory/3144-22-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

        Filesize

        9.6MB

      • memory/3144-23-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

        Filesize

        9.6MB

      • memory/3144-20-0x000000001B380000-0x000000001B426000-memory.dmp

        Filesize

        664KB

      • memory/3436-0-0x0000000074772000-0x0000000074773000-memory.dmp

        Filesize

        4KB

      • memory/3436-7-0x0000000074770000-0x0000000074D21000-memory.dmp

        Filesize

        5.7MB

      • memory/3436-6-0x0000000074770000-0x0000000074D21000-memory.dmp

        Filesize

        5.7MB

      • memory/3436-5-0x0000000074770000-0x0000000074D21000-memory.dmp

        Filesize

        5.7MB

      • memory/3436-4-0x0000000074770000-0x0000000074D21000-memory.dmp

        Filesize

        5.7MB

      • memory/3436-3-0x0000000074772000-0x0000000074773000-memory.dmp

        Filesize

        4KB

      • memory/3436-2-0x0000000074770000-0x0000000074D21000-memory.dmp

        Filesize

        5.7MB

      • memory/3436-1-0x0000000074770000-0x0000000074D21000-memory.dmp

        Filesize

        5.7MB