njrat | e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

Analysis

max time kernel
897s
max time network
897s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2025, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nkth.exe
Size

55KB
MD5

33644523cb6a6c01bbf2dd5c3a97aafc
SHA1

7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
SHA256

e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
SHA512

43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
SSDEEP

1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Downloads MZ/PE file 4 IoCs

flow	pid	Process
65	3012	Process not Found
91	3012	Process not Found
48	1896	Process not Found
70	1896	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nkth.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4868	MicrosoftEdgeUpdate.exe
3188	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1324	nkth.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe
Token: SeIncBasePriorityPrivilege	1324	nkth.exe
Token: 33	1324	nkth.exe

C:\Users\Admin\AppData\Local\Temp\nkth.exe
"C:\Users\Admin\AppData\Local\Temp\nkth.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTdENDlFMTItODYyRi00RjMwLUFDMTMtRDM0NzU3NDZCOTlFfSIgdXNlcmlkPSJ7NzNCMDU3QUEtQzhENi00OTI3LUFGMTgtN0IzMTU1RUM1OUZGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTkyRkUxQkUtMDQyQi00REFBLTg4MDYtMTMyMUJBOERDQUUyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM1NTIzNTMxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4868

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTdENDlFMTItODYyRi00RjMwLUFDMTMtRDM0NzU3NDZCOTlFfSIgdXNlcmlkPSJ7NzNCMDU3QUEtQzhENi00OTI3LUFGMTgtN0IzMTU1RUM1OUZGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBQ0NCQkI0My00MTJFLTQ0MkUtODYzQi0yMDU2Mzk0NTc3MjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuNDMiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7QTI3MTNERDktOTQzMS00QUUwLUEzOTEtODQxRDRBMzYwRkE1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyMzEwNTExNDQ1NzAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MzY0NjEwMjciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQzNjQ2MTAyNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIxMTM2NDkxNTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxNTQwOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1Vb0clMmJaU3I4bnZHalhqaWlLVkdaaE1GcDRTMkJoR3g4R2hBdFg0VnAySlNKU1R1N0p4ekx3Rjlnbjcxa2xwbyUyYk8lMmZISkxmM2ZFOHRrU0ZFJTJid1dURlpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTEzNjQ5MTU4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxNTQwOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1Vb0clMmJaU3I4bnZHalhqaWlLVkdaaE1GcDRTMkJoR3g4R2hBdFg0VnAySlNKU1R1N0p4ekx3Rjlnbjcxa2xwbyUyYk8lMmZISkxmM2ZFOHRrU0ZFJTJid1dURlpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iODExMTY3IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSI5MjUxNiIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIxMTM2NDkxNTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NzE1NDA5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVVvRyUyYlpTcjhudkdqWGppaUtWR1poTUZwNFMyQmhHeDhHaEF0WDRWcDJKU0pTVHU3Snh6THdGOWduNzFrbHBvJTJiTyUyZkhKTGYzZkU4dGtTRkUlMmJ3V1RGWlElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIxOTkuMjMyLjIxNC4xNzIiIGNkbl9jaWQ9IjMiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSJISVQiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iNDY1MDEyIiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSI1NDk4NCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIxMTM2NDkxNTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxNTQwOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1Vb0clMmJaU3I4bnZHalhqaWlLVkdaaE1GcDRTMkJoR3g4R2hBdFg0VnAySlNKU1R1N0p4ekx3Rjlnbjcxa2xwbyUyYk8lMmZISkxmM2ZFOHRrU0ZFJTJid1dURlpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTEzNjQ5MTU4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxNTQwOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1Vb0clMmJaU3I4bnZHalhqaWlLVkdaaE1GcDRTMkJoR3g4R2hBdFg0VnAySlNKU1R1N0p4ekx3Rjlnbjcxa2xwbyUyYk8lMmZISkxmM2ZFOHRrU0ZFJTJid1dURlpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMzMwOTA2IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSIzNzM2NTYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI4OTQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTEzNjQ5MTU4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcxNTQwOSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1Vb0clMmJaU3I4bnZHalhqaWlLVkdaaE1GcDRTMkJoR3g4R2hBdFg0VnAySlNKU1R1N0p4ekx3Rjlnbjcxa2xwbyUyYk8lMmZISkxmM2ZFOHRrU0ZFJTJid1dURlpRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iMTk5LjIzMi4yMTQuMTcyIiBjZG5fY2lkPSIzIiBjZG5fY2NjPSJHQiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iSElUIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjEzMDk1NTciIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9IjEwMzYyNSIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIyNjg0MzU0NjMiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTEzNjQ5MTU4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjgyOTciIGRvd25sb2FkX3RpbWVfbXM9IjY2NzcxOSIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjIiIHI9IjIiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntCQjMxQUREMi1EMEJELTQ0NzktODgyMi1FNzBGNTk5OURDQTl9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNDMiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RUU1OEU2ODctREMzNi00NkIzLTg0NTUtQjVERUM3NTk2NzE3fSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3188

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4996" "1000" "860" "1004" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
861KB

MD5
e9d37f8be8c233e2f0cb09e1e6c4ee01

SHA1
b209b3434ec118273e0941e528a1962a0e034a76

SHA256
8c53b511a5780338fe89793120eb3b2bb8117114d8275e87303c8b03e37f1403

SHA512
aa99a37f94dd104762e7921d9a2a447bfb833f31e7443a69fd9fc113944fd11cd119de180b4c7c39bf9c45d2039af040dfa76cfe13b8bc9a10cd2c33c1246150

Download Submit
memory/1324-0-0x0000000074912000-0x0000000074913000-memory.dmp

Filesize
4KB

Download
memory/1324-1-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-2-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-3-0x0000000074912000-0x0000000074913000-memory.dmp

Filesize
4KB

Download
memory/1324-4-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/1324-5-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads