Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

nkth.exe

windows7-x64

10

nkth.exe

windows7-x64

10

nkth.exe

windows10-2004-x64

10

nkth.exe

windows10-ltsc 2021-x64

10

nkth.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    899s
  • max time network
    899s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-es
  • resource tags

    arch:x64arch:x86image:win11-20250207-eslocale:es-esos:windows11-21h2-x64systemwindows
  • submitted
    08/02/2025, 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nkth.exe

  • Size

    55KB

  • MD5

    33644523cb6a6c01bbf2dd5c3a97aafc

  • SHA1

    7fd0d35a09a32693d30ffdb49ecd69c1229d2a20

  • SHA256

    e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

  • SHA512

    43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b

  • SSDEEP

    1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score
10/10
njratadwarebootkitdiscoverypersistenceprivilege_escalationstealertrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nkth.exe
    "C:\Users\Admin\AppData\Local\Temp\nkth.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\3a53ce3142ae4844983cc0b44eca201a.EXE
      "C:\Users\Admin\AppData\Local\Temp\3a53ce3142ae4844983cc0b44eca201a.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        PID:3448
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4632
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB66.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2916
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTFCQUY4NzctMzhERS00NDFDLThCRjEtMTJGOTMyQUVCOTdFfSIgdXNlcmlkPSJ7NkI2RDY5MzEtMjlERC00RUQzLThCN0QtQUMxNjFCODlFMTM1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTY2QUU3RTgtMDQ4Mi00QTMxLUJGRkQtODEwQTNEOEQ5QjE0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjEzMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI4NzExMjU0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5NjA4OTY5MjEiLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1580
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2616
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff67f3fa818,0x7ff67f3fa824,0x7ff67f3fa830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2516
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff67f3fa818,0x7ff67f3fa824,0x7ff67f3fa830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2976
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff669a8a818,0x7ff669a8a824,0x7ff669a8a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4940
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff669a8a818,0x7ff669a8a824,0x7ff669a8a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2264
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff669a8a818,0x7ff669a8a824,0x7ff669a8a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4904
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTFCQUY4NzctMzhERS00NDFDLThCRjEtMTJGOTMyQUVCOTdFfSIgdXNlcmlkPSJ7NkI2RDY5MzEtMjlERC00RUQzLThCN0QtQUMxNjFCODlFMTM1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5NjBGMDkxRS1ENDdCLTQ1MDItQkJGOS0zMTA5QTg2RjY1RTN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC43MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InszMTc3OTYyOS04RjQ3LTRGNDktOEVCNC1CMzlDMjhCNDE1OUR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDM3NTQzNDk4MjYwMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk4NzQ1OTczOSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTg3NDU5NzM5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDI4NzkyODA3NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5NjQ4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWJTcDF0QXZZQVJFVGZRaGtYSiUyYm9pRkdCTWw3cVk5SXJ2ak1GY3RNVGVESjZZd2dDRWl1RGZ1TW1NaEwxQ0h4R1dyaFFoVkNXOUN6Z3hEZDVBam1hckElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDI4NzkyODA3NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MTk2NDgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9YlNwMXRBdllBUkVUZlFoa1hKJTJib2lGR0JNbDdxWTlJcnZqTUZjdE1UZURKNll3Z0NFaXVEZnVNbU1oTDFDSHhHV3JoUWhWQ1c5Q3pneERkNUFqbWFyQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNTIzNjI1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMjg4MDg0NjA5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMzAxODM0Nzk0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDg0MTM2NjAzNCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjE3MzUiIGRvd25sb2FkX3RpbWVfbXM9IjUzMDA2MyIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1Mzk1MyIvPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezM1N0IxQjMxLTgyMDEtNDQ2NC1BOEU5LTFBOTAyREI5NDFCN30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjk0IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NjZBNTUwMTUtQjE3NC00REMxLTk2Q0EtQUZFQkUxRjU2Mzk5fSIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7458A8E6-1013-4FD8-8F53-790075889E6B}\EDGEMITMP_1C190.tmp\setup.exe
    Filesize

    6.6MB

    MD5

    b4c8ad75087b8634d4f04dc6f92da9aa

    SHA1

    7efaa2472521c79d58c4ef18a258cc573704fb5d

    SHA256

    522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

    SHA512

    5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

    Download Submit

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Filesize

    3.7MB

    MD5

    3646786aea064c0845f5bb1b8e976985

    SHA1

    a31ba2d2192898d4c0a01511395bdf87b0e53873

    SHA256

    a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

    SHA512

    145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

    Download Submit

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
    Filesize

    880KB

    MD5

    b70a98b4f522685302aa6ce6ec10c543

    SHA1

    584536dd049667c7c9cc4afc3fe7025322cfb175

    SHA256

    00f8dd1ae9c9f9c3974bf95662fbc102062e6d8fed6e7f6f4c0c8b0953e08761

    SHA512

    f7a8a72ae4d293713720db34151783bf140f21b2b0ba5b3cb6b633af7a341c6eeea64005325ded867e68d16960bdf2971794d650add68bde7d12a2c98a5fd8c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3a53ce3142ae4844983cc0b44eca201a.EXE
    Filesize

    241KB

    MD5

    8964489afcdf25c4eef3aea0e0c9a872

    SHA1

    656485b929fd67c26f733ba6e85525d76c8f9791

    SHA256

    6b4840400cf2f697ce98a66af37497447278ffef8dcac35182726154146ea066

    SHA512

    3ff73c9c910e1f30c9235501864e79d6ac4bc8fafbb62191edca0b4f5ad5c6a46efce9065c2cf169775b83954085d79d2cb45d6f4be8fdbb85a6163f98fecfab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
    Filesize

    150KB

    MD5

    e8a16450f1f658e2a216317eeab1ea49

    SHA1

    19b26d056d24b1e00933a104a8e320ba52c9c1eb

    SHA256

    6c0ffa7412a2aecdd253d12481460a4dd3ee02d912c3ee4d2124274e12add8a5

    SHA512

    93f952c4891eeb62a90b969973dcd5e5ce85b6d020b96f2520a5fcd47b21a4c6ccf9512d2c935c4dc3557b184a32d8b0623b342a1344b48fba24b6944749db98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB66.tmp.bat
    Filesize

    183B

    MD5

    5735ba04b569c3ca695bba88173f1848

    SHA1

    2e65a41c0fa9c97905e98fccfa50d6168bc6cfeb

    SHA256

    ec17266901f8582c7aca7d7fe9d66450262d03e7c138a26cfd9c56c953e8758e

    SHA512

    a4edff79f14afbe0e9f7b0f0c04610573ac9beef8eb01d3148765c2489bc67ee0960cad2ca636bf9ab91f706e2c6b65d85c82f56d8a7e9e263132144c478fd70

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    73KB

    MD5

    3a2370fa7d1836018dd233fdcb9b955c

    SHA1

    0eca0d377dc0ac67659e799cd51747a7ebeb1a85

    SHA256

    b04f58cc4c9f57fe1ebf53ee30725215e7d8d0f9e8b51f96494851210da455f4

    SHA512

    a97ff82a284e1822bb637db2a09e76b397403cacee3f12e4d46fdb08163de8f1dd3d496da55601e47b0c6dec5be8ae06ae527e06a03d1ca755dcbb403424e728

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    98KB

    MD5

    7eda812717dc8f17717f398c23371179

    SHA1

    0e1177a33e3d8202e51daa86c9cd17ab0de3e9b9

    SHA256

    798ba0065dcb9627d9c9cecd4e63705e9b4ba0a0eaed4bcd2b2d8c3edf91a639

    SHA512

    02da8c516e5226d9ed4dc93d4b6b302c90ac7aba6c87b9c4eb882984f34ee7341e57e4ae94c8e3a253362cf327e8115aeb9d1f488c0c45eb27c43e53bc86a844

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    103KB

    MD5

    18f8f9848f78fd1b7d3c029d2eb38316

    SHA1

    e0fa7f7a64c848b9a055de505b1eee3a1712df6c

    SHA256

    cc10c6826762dba6bc4f81880c31138c382ce76144ce6825d91229b9d2d45531

    SHA512

    b2490ea7e5913b00c8d8d706d2a1891a9ed029008265c4e10f191ae0767561f4c163c95876cfd4206c7789e0fa564cfad3c4af706cb6138837e445c417c376c3

    Download Submit

  • memory/3280-19-0x00007FFC1C743000-0x00007FFC1C745000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3280-20-0x0000000000790000-0x00000000007D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3280-21-0x0000000000EF0000-0x0000000000F06000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3280-22-0x00007FFC1C740000-0x00007FFC1D202000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3280-42-0x00007FFC1C740000-0x00007FFC1D202000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3448-45-0x00000000071F0000-0x00000000071FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3448-41-0x0000000005D70000-0x0000000006316000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3448-37-0x0000000000E00000-0x0000000000E2A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3448-44-0x0000000006600000-0x0000000006692000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5036-0-0x0000000073F01000-0x0000000073F02000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-7-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5036-5-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5036-4-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5036-3-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5036-2-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5036-1-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

    Download