Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
898s -
max time network
899s -
platform
windows11-21h2_x64 -
resource
win11-20250207-uk -
resource tags
arch:x64arch:x86image:win11-20250207-uklocale:uk-uaos:windows11-21h2-x64systemwindows -
submitted
08/02/2025, 11:33
Behavioral task
behavioral1
Sample
nkth.exe
Resource
win10ltsc2021-20250207-uk
Behavioral task
behavioral2
Sample
nkth.exe
Resource
win10v2004-20250207-uk
Behavioral task
behavioral3
Sample
nkth.exe
Resource
win10ltsc2021-20250207-uk
Behavioral task
behavioral4
Sample
nkth.exe
Resource
win11-20250207-uk
General
-
Target
nkth.exe
-
Size
55KB
-
MD5
33644523cb6a6c01bbf2dd5c3a97aafc
-
SHA1
7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
-
SHA256
e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
-
SHA512
43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
-
SSDEEP
1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm
Malware Config
Signatures
-
Njrat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 9 572 Process not Found 14 3560 Process not Found -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 10 IoCs
pid Process 2732 setup.exe 3280 setup.exe 4460 setup.exe 4024 setup.exe 2928 setup.exe 1872 setup.exe 1920 setup.exe 4284 setup.exe 2060 setup.exe 2968 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\MEIPreload\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\hu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\fi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\tr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\es.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\te.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ur.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\oneauth.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\fa.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ms.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\ffmpeg.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedgewebview2.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\et.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\fr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\gd.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\132.0.2957.140.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\prefs_enclave_x64.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\az.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ca-Es-VALENCIA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sq.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\zh-TW.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\concrt140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dxil.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\libGLESv2.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msvcp140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fil.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lo.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\te.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_feedback\camera_mf_trace.wprp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\nb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mip_core.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mspdf.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\is.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ru.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\cookie_exporter.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\PdfPreview\PdfPreviewHandler.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sr-Cyrl-BA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kk.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dc42d537-20eb-4082-b6d6-73b6bf71ee3a.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe setup.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nkth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3084 MicrosoftEdgeUpdate.exe 3088 MicrosoftEdgeUpdate.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open\command setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.htm setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\elevation_service.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\PdfPreview\\PdfPreviewHandler.dll" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\"" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_helper.exe\"" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xht setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2928 setup.exe 2928 setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 nkth.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe Token: SeIncBasePriorityPrivilege 3208 nkth.exe Token: 33 3208 nkth.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3220 wrote to memory of 2732 3220 MicrosoftEdge_X64_132.0.2957.140.exe 87 PID 3220 wrote to memory of 2732 3220 MicrosoftEdge_X64_132.0.2957.140.exe 87 PID 2732 wrote to memory of 3280 2732 setup.exe 88 PID 2732 wrote to memory of 3280 2732 setup.exe 88 PID 2732 wrote to memory of 4460 2732 setup.exe 89 PID 2732 wrote to memory of 4460 2732 setup.exe 89 PID 4460 wrote to memory of 4024 4460 setup.exe 90 PID 4460 wrote to memory of 4024 4460 setup.exe 90 PID 2732 wrote to memory of 2928 2732 setup.exe 91 PID 2732 wrote to memory of 2928 2732 setup.exe 91 PID 2732 wrote to memory of 1872 2732 setup.exe 92 PID 2732 wrote to memory of 1872 2732 setup.exe 92 PID 2928 wrote to memory of 1920 2928 setup.exe 93 PID 2928 wrote to memory of 1920 2928 setup.exe 93 PID 2732 wrote to memory of 4284 2732 setup.exe 94 PID 2732 wrote to memory of 4284 2732 setup.exe 94 PID 1872 wrote to memory of 2060 1872 setup.exe 95 PID 1872 wrote to memory of 2060 1872 setup.exe 95 PID 4284 wrote to memory of 2968 4284 setup.exe 96 PID 4284 wrote to memory of 2968 4284 setup.exe 96 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nkth.exe"C:\Users\Admin\AppData\Local\Temp\nkth.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzNBODFBMjctNTg1NS00QzNFLThFN0QtRDkyMUVDODNBQTU1fSIgdXNlcmlkPSJ7RkVENDk2NDYtQTRERC00MkRELTgyNzEtNEZFODFGOERBN0Q4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTgyMDhGM0ItMzRBQi00NkQ3LThFNjctN0Y5NkM5OEZERjM4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1MTk2MCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI0NTQ1NjU5MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5MjMwODA4NjUiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3084
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\MicrosoftEdge_X64_132.0.2957.140.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7857ea818,0x7ff7857ea824,0x7ff7857ea8303⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3280
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7857ea818,0x7ff7857ea824,0x7ff7857ea8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4024
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a850a818,0x7ff7a850a824,0x7ff7a850a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1920
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a850a818,0x7ff7a850a824,0x7ff7a850a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2060
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a850a818,0x7ff7a850a824,0x7ff7a850a8304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzNBODFBMjctNTg1NS00QzNFLThFN0QtRDkyMUVDODNBQTU1fSIgdXNlcmlkPSJ7RkVENDk2NDYtQTRERC00MkRELTgyNzEtNEZFODFGOERBN0Q4fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGRTAwNTQyQi1CQzMzLTQxQkItOUMxQy1CQTNCRDc0QTBEREF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40MSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins0QkMzNDE5RC04NjJGLTRFQkMtOTQ3Ni1FQzJBRTI4Q0Y1QUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDM1MjY4NTAzNjAzMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk1MjMwMDYzOSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTUyNDU2MTQwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTI0MDE4Njc3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MTkzMzAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VUUxVFJQMXd6Q0IyZ2tsbzJHdGlMbmFzSmxzaGtWcUsyM1JEMGtITVVXb05OJTJiZmtXd3AxamVsJTJmUnlyNTFmeFQyTGMlMmZMZFN0TXgybTFUJTJiVDZqJTJmZHB3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1MjQwMTg2NzciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVVFMVRSUDF3ekNCMmdrbG8yR3RpTG5hc0psc2hrVnFLMjNSRDBrSE1VV29OTiUyYmZrV3dwMWplbCUyZlJ5cjUxZnhUMkxjJTJmTGRTdE14Mm0xVCUyYlQ2aiUyZmRwdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjY0Njk4OCIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iMzIzODI4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1MjQxNzUzNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVVFMVRSUDF3ekNCMmdrbG8yR3RpTG5hc0psc2hrVnFLMjNSRDBrSE1VV29OTiUyYmZrV3dwMWplbCUyZlJ5cjUxZnhUMkxjJTJmTGRTdE14Mm0xVCUyYlQ2aiUyZmRwdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjIuMjAuMTIuOTUiIGNkbl9jaWQ9IjIiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSIyNzAzMSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTI0MTc1MzY2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1Mzc5MjU5MDciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjkwNzI0NTY4NDYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNzM0IiBkb3dubG9hZF90aW1lX21zPSIzNTcxNzIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTM0NTMiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins5RUYxOEVGNi1GQ0E0LTQzOTEtQkU2Ri03NzZENUIyRkZERUV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40MSIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezU5QkZEOTkwLTc2OTktNDRFRC05RDI3LUEzM0FENkVDMUY4NH0iLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3088
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe
Filesize6.6MB
MD5b4c8ad75087b8634d4f04dc6f92da9aa
SHA17efaa2472521c79d58c4ef18a258cc573704fb5d
SHA256522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf
SHA5125094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3
-
Filesize
3.7MB
MD53646786aea064c0845f5bb1b8e976985
SHA1a31ba2d2192898d4c0a01511395bdf87b0e53873
SHA256a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f
SHA512145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4
-
Filesize
585KB
MD547084311cd1a82411ddcb07fc7117a04
SHA1e409bb5cb5c050a74b2fdf02c5d43f06a9c1b9ba
SHA256aac16207e1f8a828fab2d246882c4aeb0eaec04c69cc4eaf32dd3d1f9623088e
SHA5129a0608ecfbe1307136927a08dd36a5846f6151306c172c317e078b1a5611df16331876cbe7e2e9ab875088647cb27390be4515e8fce022f652fa91b1e81af880
-
Filesize
72KB
MD5d5416de0332dc0321c5a0eeeefd445d6
SHA12f7ef1d81743916839ac2825ef51cda0dae5276b
SHA256bd10481cdab072553a15e2fee73a26c0c57fb2a190c01edb28b4ef264aca6550
SHA5126278ad42897574e19a42e40655cdf0cee0bf3f7e7aa887fe9f0a98fea943faa3f3500d2710372c5b0bbb1dcd2fdfb601b22848b38ed4e1680d8760d6cc12070d
-
Filesize
104KB
MD5f52a8ce8fcd3f01673d052add7258a9e
SHA1c5138023d3dc3657ae94d509318e3bdb3728b1ed
SHA2566f32c0cb7b5ae7f3b23134afb656a62ba30dad5c9c22c75e23e82581aee14a12
SHA51212a7a93ee972859ac039ba986b3fb480c922b0ed9ccc786081a4af4653cda8056915d5f758a400d1b53e13a4b5b5b575d1d6774134a826a2e9a9da00b13b92ed