Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    898s
  • max time network
    899s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-uk
  • resource tags

    arch:x64arch:x86image:win11-20250207-uklocale:uk-uaos:windows11-21h2-x64systemwindows
  • submitted
    08/02/2025, 11:33

General

  • Target

    nkth.exe

  • Size

    55KB

  • MD5

    33644523cb6a6c01bbf2dd5c3a97aafc

  • SHA1

    7fd0d35a09a32693d30ffdb49ecd69c1229d2a20

  • SHA256

    e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

  • SHA512

    43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b

  • SSDEEP

    1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Malware Config

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nkth.exe
    "C:\Users\Admin\AppData\Local\Temp\nkth.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:3208
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzNBODFBMjctNTg1NS00QzNFLThFN0QtRDkyMUVDODNBQTU1fSIgdXNlcmlkPSJ7RkVENDk2NDYtQTRERC00MkRELTgyNzEtNEZFODFGOERBN0Q4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTgyMDhGM0ItMzRBQi00NkQ3LThFNjctN0Y5NkM5OEZERjM4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1MTk2MCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI0NTQ1NjU5MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5MjMwODA4NjUiLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3084
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2732
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7857ea818,0x7ff7857ea824,0x7ff7857ea830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3280
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7857ea818,0x7ff7857ea824,0x7ff7857ea830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4024
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a850a818,0x7ff7a850a824,0x7ff7a850a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1920
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a850a818,0x7ff7a850a824,0x7ff7a850a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2060
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7a850a818,0x7ff7a850a824,0x7ff7a850a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2968
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzNBODFBMjctNTg1NS00QzNFLThFN0QtRDkyMUVDODNBQTU1fSIgdXNlcmlkPSJ7RkVENDk2NDYtQTRERC00MkRELTgyNzEtNEZFODFGOERBN0Q4fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGRTAwNTQyQi1CQzMzLTQxQkItOUMxQy1CQTNCRDc0QTBEREF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40MSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins0QkMzNDE5RC04NjJGLTRFQkMtOTQ3Ni1FQzJBRTI4Q0Y1QUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDM1MjY4NTAzNjAzMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk1MjMwMDYzOSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTUyNDU2MTQwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTI0MDE4Njc3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MTkzMzAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VUUxVFJQMXd6Q0IyZ2tsbzJHdGlMbmFzSmxzaGtWcUsyM1JEMGtITVVXb05OJTJiZmtXd3AxamVsJTJmUnlyNTFmeFQyTGMlMmZMZFN0TXgybTFUJTJiVDZqJTJmZHB3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1MjQwMTg2NzciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVVFMVRSUDF3ekNCMmdrbG8yR3RpTG5hc0psc2hrVnFLMjNSRDBrSE1VV29OTiUyYmZrV3dwMWplbCUyZlJ5cjUxZnhUMkxjJTJmTGRTdE14Mm0xVCUyYlQ2aiUyZmRwdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjY0Njk4OCIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iMzIzODI4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1MjQxNzUzNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVVFMVRSUDF3ekNCMmdrbG8yR3RpTG5hc0psc2hrVnFLMjNSRDBrSE1VV29OTiUyYmZrV3dwMWplbCUyZlJ5cjUxZnhUMkxjJTJmTGRTdE14Mm0xVCUyYlQ2aiUyZmRwdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjIuMjAuMTIuOTUiIGNkbl9jaWQ9IjIiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSIyNzAzMSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTI0MTc1MzY2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1Mzc5MjU5MDciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjkwNzI0NTY4NDYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNzM0IiBkb3dubG9hZF90aW1lX21zPSIzNTcxNzIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTM0NTMiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins5RUYxOEVGNi1GQ0E0LTQzOTEtQkU2Ri03NzZENUIyRkZERUV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40MSIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezU5QkZEOTkwLTc2OTktNDRFRC05RDI3LUEzM0FENkVDMUY4NH0iLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4D9AA118-5D8F-4B07-83E5-32A20CCAFEEA}\EDGEMITMP_70458.tmp\setup.exe

    Filesize

    6.6MB

    MD5

    b4c8ad75087b8634d4f04dc6f92da9aa

    SHA1

    7efaa2472521c79d58c4ef18a258cc573704fb5d

    SHA256

    522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

    SHA512

    5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

    Filesize

    3.7MB

    MD5

    3646786aea064c0845f5bb1b8e976985

    SHA1

    a31ba2d2192898d4c0a01511395bdf87b0e53873

    SHA256

    a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

    SHA512

    145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    585KB

    MD5

    47084311cd1a82411ddcb07fc7117a04

    SHA1

    e409bb5cb5c050a74b2fdf02c5d43f06a9c1b9ba

    SHA256

    aac16207e1f8a828fab2d246882c4aeb0eaec04c69cc4eaf32dd3d1f9623088e

    SHA512

    9a0608ecfbe1307136927a08dd36a5846f6151306c172c317e078b1a5611df16331876cbe7e2e9ab875088647cb27390be4515e8fce022f652fa91b1e81af880

  • C:\Windows\SystemTemp\msedge_installer.log

    Filesize

    72KB

    MD5

    d5416de0332dc0321c5a0eeeefd445d6

    SHA1

    2f7ef1d81743916839ac2825ef51cda0dae5276b

    SHA256

    bd10481cdab072553a15e2fee73a26c0c57fb2a190c01edb28b4ef264aca6550

    SHA512

    6278ad42897574e19a42e40655cdf0cee0bf3f7e7aa887fe9f0a98fea943faa3f3500d2710372c5b0bbb1dcd2fdfb601b22848b38ed4e1680d8760d6cc12070d

  • C:\Windows\SystemTemp\msedge_installer.log

    Filesize

    104KB

    MD5

    f52a8ce8fcd3f01673d052add7258a9e

    SHA1

    c5138023d3dc3657ae94d509318e3bdb3728b1ed

    SHA256

    6f32c0cb7b5ae7f3b23134afb656a62ba30dad5c9c22c75e23e82581aee14a12

    SHA512

    12a7a93ee972859ac039ba986b3fb480c922b0ed9ccc786081a4af4653cda8056915d5f758a400d1b53e13a4b5b5b575d1d6774134a826a2e9a9da00b13b92ed

  • memory/3208-0-0x0000000074021000-0x0000000074022000-memory.dmp

    Filesize

    4KB

  • memory/3208-1-0x0000000074020000-0x00000000745D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3208-2-0x0000000074020000-0x00000000745D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3208-3-0x0000000074020000-0x00000000745D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3208-4-0x0000000074020000-0x00000000745D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3208-5-0x0000000074020000-0x00000000745D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3208-6-0x0000000074020000-0x00000000745D1000-memory.dmp

    Filesize

    5.7MB