njrat | e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

Analysis

max time kernel
900s
max time network
900s
platform
windows10-2004_x64
resource
win10v2004-20250207-uk
resource tags

arch:x64arch:x86image:win10v2004-20250207-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
08/02/2025, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nkth.exe
Size

55KB
MD5

33644523cb6a6c01bbf2dd5c3a97aafc
SHA1

7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
SHA256

e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
SHA512

43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
SSDEEP

1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score

10^/10

njrat adware discovery persistence privilege_escalation stealer trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
18	3076	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	nkth.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 11 IoCs

pid	Process
3144	790513c571684654ad33497c4491e1b3.exe
1456	setup.exe
5068	setup.exe
640	setup.exe
728	setup.exe
3520	setup.exe
4012	setup.exe
4560	setup.exe
1948	setup.exe
1324	setup.exe
1840	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_feedback\camera_mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\is.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe	MicrosoftEdge_X64_132.0.2957.140.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\SETUP.EX_	MicrosoftEdge_X64_132.0.2957.140.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\onramp.dll	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\id.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1948_13383488929895770_1948.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\tt.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nkth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2164	MicrosoftEdgeUpdate.exe
1352	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,11"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\NumberOfSubdomains = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0"	wwahost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe
3144	790513c571684654ad33497c4491e1b3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3436	nkth.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: SeDebugPrivilege	3144	790513c571684654ad33497c4491e1b3.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe
Token: 33	3436	nkth.exe
Token: SeIncBasePriorityPrivilege	3436	nkth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
636	wwahost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3144	3436	nkth.exe	89
PID 3436 wrote to memory of 3144	3436	nkth.exe	89
PID 1928 wrote to memory of 1456	1928	MicrosoftEdge_X64_132.0.2957.140.exe	94
PID 1928 wrote to memory of 1456	1928	MicrosoftEdge_X64_132.0.2957.140.exe	94
PID 1456 wrote to memory of 5068	1456	setup.exe	95
PID 1456 wrote to memory of 5068	1456	setup.exe	95
PID 1456 wrote to memory of 640	1456	setup.exe	96
PID 1456 wrote to memory of 640	1456	setup.exe	96
PID 640 wrote to memory of 728	640	setup.exe	97
PID 640 wrote to memory of 728	640	setup.exe	97
PID 1456 wrote to memory of 3520	1456	setup.exe	98
PID 1456 wrote to memory of 3520	1456	setup.exe	98
PID 1456 wrote to memory of 4012	1456	setup.exe	99
PID 1456 wrote to memory of 4012	1456	setup.exe	99
PID 3520 wrote to memory of 4560	3520	setup.exe	101
PID 3520 wrote to memory of 4560	3520	setup.exe	101
PID 1456 wrote to memory of 1948	1456	setup.exe	100
PID 1456 wrote to memory of 1948	1456	setup.exe	100
PID 1948 wrote to memory of 1324	1948	setup.exe	102
PID 1948 wrote to memory of 1324	1948	setup.exe	102
PID 4012 wrote to memory of 1840	4012	setup.exe	104
PID 4012 wrote to memory of 1840	4012	setup.exe	104

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\nkth.exe
"C:\Users\Admin\AppData\Local\Temp\nkth.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe
  "C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzMzAzQ0EtRUQ4Qy00MjQ3LTkxRTMtRUIyQjNFQjQwMjYwfSIgdXNlcmlkPSJ7OTQ2QjVFNUUtN0Q2Qi00QzU2LTlFMzgtM0YzM0I2OTdGMjI5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDYyQzBFMEUtQzlCNS00OTZGLTgxNDktMDQ3MTNEOUUxM0FCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzYwODA5MzYxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2164

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1456
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a9ca818,0x7ff75a9ca824,0x7ff75a9ca830
    3⤵
    - Executes dropped EXE
    PID:5068
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a9ca818,0x7ff75a9ca824,0x7ff75a9ca830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a830
      4⤵
      Executes dropped EXE
      PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:1048

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
PID:1712

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:636

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzMzAzQ0EtRUQ4Qy00MjQ3LTkxRTMtRUIyQjNFQjQwMjYwfSIgdXNlcmlkPSJ7OTQ2QjVFNUUtN0Q2Qi00QzU2LTlFMzgtM0YzM0I2OTdGMjI5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFNzlDNjVBQy0wMDFGLTRGMzQtOUQzMS1CNEU4Q0MwMjQwODB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuMTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0E3N0FFN0UtQkVEOC00RTA1LTg2ODgtRDUzQ0RGMDlCRkRCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyOTY1ODY5ODgwMDAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MTkwOTA4MjEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxOTA5MDgyMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMzgxNTI4ODQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYxOTMzMyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1OWm8lMmJwZiUyZk5VdGFkY3RORWVodlNuMzllajFZclJGbzc0enRTOEUwN1pJQ1lmTnlJR2pDMFE0dlNzJTJmMnpXeTNPZlRmYzViYU1HN2lXJTJmZG5Wckp2b253JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMzgzMDkwNTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PU5abyUyYnBmJTJmTlV0YWRjdE5FZWh2U24zOWVqMVlyUkZvNzR6dFM4RTA3WklDWWZOeUlHakMwUTR2U3MlMmYyeld5M09mVGZjNWJhTUc3aVclMmZkblZySnZvbnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9Ijc4NTc1MCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzMzODMwOTA1OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzM1MTU5MDY3NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4OTI2ODQzNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0MjUwIiBkb3dubG9hZF90aW1lX21zPSI3OTE5MjIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTQxMTAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MTNBQjhDMy05QkQ3LTQxMTAtOTlERi1ERTk4MjNFN0RGMTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTBGNjIyOEEtMjhEOC00OTk1LUFGMUQtQjIyQUFENEVDNUU5fSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe

Filesize
6.6MB

MD5
b4c8ad75087b8634d4f04dc6f92da9aa

SHA1
7efaa2472521c79d58c4ef18a258cc573704fb5d

SHA256
522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

SHA512
5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.7MB

MD5
3646786aea064c0845f5bb1b8e976985

SHA1
a31ba2d2192898d4c0a01511395bdf87b0e53873

SHA256
a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f

SHA512
145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

Download Submit
C:\Program Files\msedge_installer.log

Filesize
70KB

MD5
1c4c7389dd7aafd8a2a70d36fbe70e6b

SHA1
3d3d9782801aabf1a1edcb6eb534e12225512fbc

SHA256
e7ab642d43b762d440ca99bd4925fdd5eca57c7469272a22b69cf440efd46588

SHA512
470071942572f174477e10db9f8940cb63da4213eca52f82bfc5e1bf2dbcd553b92f2e3e5022b39609e7ca3efe2c8debd20143fbe24b58350a5c18a4577aeddc

Download Submit
C:\Program Files\msedge_installer.log

Filesize
96KB

MD5
7daa9cbe5c885bd3fcbc95e0cc5ccc65

SHA1
72498815de2fab7baafde293695edea77c5699d5

SHA256
43c71151812126c7113a6df8c28251e012a48c5aa9a4949526d9c36c55c1a8f7

SHA512
6b8e63ec4823100dc83b5566f28a88116d4271b4a4a58de0f78d1184a891c87271cc245e23e0801d7a354de295834d3b8781f6bec1b6de525f84ebbfa75dd4d5

Download Submit
C:\Program Files\msedge_installer.log

Filesize
101KB

MD5
ef041b93fe3647aa894c7dd271998dde

SHA1
d1e8bcb08e7be75b71d9066a0efcad980846c949

SHA256
ea03ce086b39dbb8a8930d6f8faf31b204202cf16715b6104974b041fdeb204a

SHA512
08fc5f4c4b2b041c5a4b647b883d0444fcd967f382eb384bebe5ac98c4da5f59dcad9e15c95602ff810b7f27f708d8bd0a69e005fa05157da66224771e029310

Download Submit
C:\Program Files\msedge_installer.log

Filesize
102KB

MD5
d1bab77678c3cf29a239e62c09a7a406

SHA1
a103b45f4b6d715d10db72fb0c285937a88f2748

SHA256
f8971aa2fe297a0b44bf19603b7b7abeae6d4549a4543e3da9516da49d9740a3

SHA512
784e11bdac9e669cd48e008ab5a43e7f9b07399d4d598324b156342f183a9bf08fb56cb83c05c9aef236c6b1c1e8e359b7c8b642711ab7a6aa64c6c22da0f42a

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
1.3MB

MD5
5e700bc9ace8593aaff634e63ec48017

SHA1
1916226b9f1a53cbc627412ad5b8199c69cf0566

SHA256
697e76a8c63793dabc98fbbd221321406444f3dfb67c7cb727f7cb71b20de5fd

SHA512
f5a18f71e8d3625bf2b50922dbfd656456147fff2aae717e86c23e083cc684d43f00270c0f540fc61a2c32e0b1aea2ffdc44436d4bb7cb77586f50e6e307f338

Download Submit
C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
memory/1712-90-0x000002126B370000-0x000002126B5B9000-memory.dmp

Filesize
2.3MB

Download
memory/1712-89-0x0000021269DC0000-0x0000021269DC8000-memory.dmp

Filesize
32KB

Download
memory/1712-88-0x0000021269D90000-0x0000021269D9A000-memory.dmp

Filesize
40KB

Download
memory/1712-87-0x0000021267BC0000-0x0000021267BCE000-memory.dmp

Filesize
56KB

Download
memory/3144-24-0x000000001BF20000-0x000000001BFBC000-memory.dmp

Filesize
624KB

Download
memory/3144-21-0x000000001B900000-0x000000001BDCE000-memory.dmp

Filesize
4.8MB

Download
memory/3144-19-0x00007FFFE85C5000-0x00007FFFE85C6000-memory.dmp

Filesize
4KB

Download
memory/3144-25-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

Filesize
32KB

Download
memory/3144-26-0x000000001C1D0000-0x000000001C21C000-memory.dmp

Filesize
304KB

Download
memory/3144-28-0x00007FFFE85C5000-0x00007FFFE85C6000-memory.dmp

Filesize
4KB

Download
memory/3144-29-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

Filesize
9.6MB

Download
memory/3144-30-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

Filesize
9.6MB

Download
memory/3144-22-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

Filesize
9.6MB

Download
memory/3144-23-0x00007FFFE8310000-0x00007FFFE8CB1000-memory.dmp

Filesize
9.6MB

Download
memory/3144-20-0x000000001B380000-0x000000001B426000-memory.dmp

Filesize
664KB

Download
memory/3436-0-0x0000000074772000-0x0000000074773000-memory.dmp

Filesize
4KB

Download
memory/3436-7-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3436-6-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3436-5-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3436-4-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3436-3-0x0000000074772000-0x0000000074773000-memory.dmp

Filesize
4KB

Download
memory/3436-2-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3436-1-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download