njrat | e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

Analysis

max time kernel
897s
max time network
895s
platform
windows11-21h2_x64
resource
win11-20250207-uk
resource tags

arch:x64arch:x86image:win11-20250207-uklocale:uk-uaos:windows11-21h2-x64systemwindows
submitted
08/02/2025, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nkth.exe
Size

55KB
MD5

33644523cb6a6c01bbf2dd5c3a97aafc
SHA1

7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
SHA256

e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
SHA512

43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
SSDEEP

1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nkth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5740	MicrosoftEdgeUpdate.exe
1892	MicrosoftEdgeUpdate.exe
3268	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	MicrosoftEdgeUpdate.exe
2128	MicrosoftEdgeUpdate.exe
2128	MicrosoftEdgeUpdate.exe
2128	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4204	nkth.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: SeDebugPrivilege	2128	MicrosoftEdgeUpdate.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe
Token: 33	4204	nkth.exe
Token: SeIncBasePriorityPrivilege	4204	nkth.exe

C:\Users\Admin\AppData\Local\Temp\nkth.exe
"C:\Users\Admin\AppData\Local\Temp\nkth.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3704,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:14
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjBDRkI5QzYtNkE5NS00N0ZGLUEzMUUtRTdCQzY1RjIxRDkzfSIgdXNlcmlkPSJ7NjdGMUNENkEtMjk1OS00QzNBLUI4MEItNTI3MTZENzM2MDlBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTVDRjE3MzEtNUFFQi00OEE5LTlGRjQtNzRERjY4QkEyMTIwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTM0NSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3OTQzMzU2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1ODg3MDgyODAiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5740

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "920" "1284" "1192" "1288" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3168

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjBDRkI5QzYtNkE5NS00N0ZGLUEzMUUtRTdCQzY1RjIxRDkzfSIgdXNlcmlkPSJ7NjdGMUNENkEtMjk1OS00QzNBLUI4MEItNTI3MTZENzM2MDlBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCMTIyMDg0QS1BRjE1LTQwRTYtODhCQi1BMUQ1RkE5MkE0MTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDg2MCI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1OTU4OTU5MzkiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1892

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjBDRkI5QzYtNkE5NS00N0ZGLUEzMUUtRTdCQzY1RjIxRDkzfSIgdXNlcmlkPSJ7NjdGMUNENkEtMjk1OS00QzNBLUI4MEItNTI3MTZENzM2MDlBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3MENBNzZENi1CQTBCLTQ2NkUtOUE5OC05QjUxNjQwRkY4NER9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC45NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MUVFRkRENy0zNTlBLTREOEQtQkNGNC04RkRCMDAzREZCREF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuODgiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0Mzg1MjIzOTIxMjMwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezk2RkY3RjA4LTIwQTQtNDM3NS04MzNDLUIyMDBFQURERUNGNn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjUzIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkI1Qjg0NDktMDIxQS00QTc3LTlDNEUtNzMzNDNDM0Q3QjI1fSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3268

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5332,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:14
1⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5424,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:14
1⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4340,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:14
1⤵
PID:420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4252,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:14
1⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5428,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:14
1⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4148,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:14
1⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4532,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:14
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5264,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:14
1⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4912,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:14
1⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5256,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:14
1⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4364,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:14
1⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4256,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:14
1⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5448,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4560 /prefetch:14
1⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5128,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:14
1⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5180,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:14
1⤵
PID:196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4556,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:14
1⤵
PID:896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5080,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:14
1⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4128,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:14
1⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=uk --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4276,i,127395260945924701,10311264522798841209,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:14
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
400KB

MD5
72ecb02d5d217fb2dc7fa5218658054e

SHA1
c27318f37faf38cf8a1476fc46f0ae241591042b

SHA256
04e4e08674baa66fa82c29d874ce15ba39a4398d5640bf96ec9902762f50bba1

SHA512
d10ffeceb9a8898ac3b91c9cab85c2d99e0af7cb0214487629c430f6298a44b4351173ff441c0e38dcd056d05d6a9491b7375af260569a5dff0f698e9ccc2a3c

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
424KB

MD5
0a15f52a784ad7fb08ada3e212542b3b

SHA1
e3106c7e1707588c874246654ef876bea4351cc1

SHA256
97f815750f06c2689d45a43cdec4b97e25e3527470b4d6e72e3461e30db66f50

SHA512
04c11f74230000f2b10cc66447af579f41e9a0786fc59972f64a90673cbd41373ccd22266dad144a4d8bc75d66bfcfcf64845a3837211a8ca47a44c7da541fef

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
439KB

MD5
ca211f8f650957d62df10106532e74f6

SHA1
0431381a1f53a1bf365c3f0072ad46622297f011

SHA256
fb1cd0bc197704ad99633553cceb3ccc81926b5065359b8928f8c87d596104f4

SHA512
f4d58d44e744e19076c422e0050254f866ddf05f19ef762d6be0e21d484f89170d55b8234dacf414a783942aaddaf5efcd1266b393881209b5c36af6abf1f4fe

Download Submit
memory/4204-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/4204-1-0x0000000074530000-0x0000000074AE1000-memory.dmp

Filesize
5.7MB

Download
memory/4204-2-0x0000000074530000-0x0000000074AE1000-memory.dmp

Filesize
5.7MB

Download
memory/4204-3-0x0000000074530000-0x0000000074AE1000-memory.dmp

Filesize
5.7MB

Download
memory/4204-4-0x0000000074530000-0x0000000074AE1000-memory.dmp

Filesize
5.7MB

Download