njrat | hxxps://github[.]com/simalei/njRAT

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 21:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/simalei/njRAT

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

68994d2a0d681679ec2add66fb617e1a

Attributes

reg_key
68994d2a0d681679ec2add66fb617e1a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2572	netsh.exe
4124	netsh.exe
5108	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Danger Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NjRat 0.7D Danger Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Danger Edition.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
5004	msedge.exe
5004	msedge.exe
4324	identity_helper.exe
4324	identity_helper.exe
3956	msedge.exe
3956	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	Server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	2032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2032	AUDIODG.EXE
Token: SeDebugPrivilege	2396	Server.exe
Token: 33	2396	Server.exe
Token: SeIncBasePriorityPrivilege	2396	Server.exe
Token: 33	2396	Server.exe
Token: SeIncBasePriorityPrivilege	2396	Server.exe
Token: 33	2396	Server.exe
Token: SeIncBasePriorityPrivilege	2396	Server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
2336	NjRat 0.7D Danger Edition.exe
2336	NjRat 0.7D Danger Edition.exe
2336	NjRat 0.7D Danger Edition.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	NjRat 0.7D Danger Edition.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1088	5004	msedge.exe	82
PID 5004 wrote to memory of 1088	5004	msedge.exe	82
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 3632	5004	msedge.exe	84
PID 5004 wrote to memory of 4040	5004	msedge.exe	83
PID 5004 wrote to memory of 4040	5004	msedge.exe	83
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85
PID 5004 wrote to memory of 4000	5004	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/simalei/njRAT
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb30e546f8,0x7ffb30e54708,0x7ffb30e54718
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,2996483822288505392,1326131846387765037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:520

C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe"
  2⤵
  PID:4796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe
"C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2396
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2572
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4124
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe"
  2⤵
  - Modifies Windows Firewall
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb30e546f8,0x7ffb30e54708,0x7ffb30e54718
    3⤵
    PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\51bef2c4-ee2f-48dc-9045-45b883260bf1.tmp

Filesize
5KB

MD5
b14eb122aec39c92ff78487266727cb9

SHA1
57baee3da76d74e0fc119bc243cf49d77995e31a

SHA256
0baf2c33b48d812cfd420932bd6a3bdf5d86952e953453345127d61c94bd434d

SHA512
bdf189ede174d086e957a91b9cf94773854fe9fd795d1aa631b675489a987a19edf2e9565ca031e59369c530038ab4607d0775b4f2513e521f62d61ba707ab6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f5c6c687041b336ce9caa837eb50211d

SHA1
ab6a26a803e8d2030e7da307e9538ea71415b209

SHA256
c4dec398aa25da570db09c25cfaeec1ea4b2e75169528b3a129fa7ac96223de4

SHA512
3b9c07dc1f6675f8949da79a14c4c8b357698fb8c2938fca352367dc8ecc5d46fe6084ede4bea27188f5783a7ed9e879b7b81a5c1245147a7e86cae5f33a2a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
42b5a4e81342526eb6f8b40625e49097

SHA1
8ab39cf7669ae0e4bb1146d62af59777d8e30fc4

SHA256
2a7b38b09957e985444c358e91b19b2b7f19016b78b1f1041f39106c4025d2a7

SHA512
e0a8da2d25d09f3cb89df84b95c90439b8408d73faa5d52101025fa984dee87fdbede98985a40a605332253d2b4160e5bcce010c7eb24446a68e679c3b58fcf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c278dde9e1ef838bbae4a9b3710fbee3

SHA1
50cdad3cc25f3c5f5ed165f3555f9f4b3ff236b3

SHA256
b31b4ae993d349832c9989f899e525d4672f728e5fe088dc4220ebed88e09dfc

SHA512
ad6e762050e253be1e06346fdf7ce1cac4097f371a49f28f1d6c3c69dd504681e4c2526e23538c913fac3e2d31ce7d4cc37c8aea15c3058fe0905225dde321e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b96d4af422bbde8de029abf7ce207249

SHA1
9640274de062a486f824ab61c8e43479f1f814e4

SHA256
83f68383ac3c14540bcb28f3159c523526c838702da92f746f5dd57e4e503d78

SHA512
a52ecd518200e90f69b87818ff6c2e762c3141d1c4fbc5e15d1e27c8672b084e51a30573b38cfe0d2e2c642585ee9bb92623149d9e3eea09f5fa1036cfda4457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d567620834254de77fd889cffe7f0caf

SHA1
64fc6bc0f7c4c189df5c36f8f5d2e04fd9efb728

SHA256
a85fe31f28966ef1c1021af746eec4f9bc4b6a25bb1ecd5e7583d0dfc94418e6

SHA512
d077b9769de639997292c82c285105d24c1d97ccae23c5350a60108d0d8d7c636ac3fa0d588059491d8724943b38087fb3c52378ff174f0d6ded8aa9df49f577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e29ff0bf5df3ca16c8f73aae65ea6ce7

SHA1
92c6594c8add5e003566bdc975aa359279ca4c69

SHA256
2bf84d7de38987c1eb0ceb4d48335911443dc5cc1018b7f2112f31d368ae77fe

SHA512
5026b512607740ca5010b355a481c0c1313285cdb9b56a65963446e2c534ebb345f4b24d0864e9b141f0c378c009cf22771ccc46fc8b705aca52b726f7b42add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9950e0981c280fca317084ea86a2beb3

SHA1
5b70b938c2ef09cdc4f999eed74b06c1fab5a114

SHA256
f30c96abf4bd55d56643cd0c4b3b95b84e5baa175fe44af2096866d00ee9ec29

SHA512
2022db3f11e3b688bcce90ee60b650ae08d2f1bb2c8b18c8cd014e19872dc29504c31130e6f95103bcbefd0bfde43da43f3f4dfbbf9dd1cbe05bb8a65439fb2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
93746168cc6800e40b14ba0798cb4034

SHA1
f48fa25028c535a9487e8964ab0b8232b75e7b0b

SHA256
632f64c3310b50f140a90d6f05f64d970762084ad98d6c8926c551a4f6f896ab

SHA512
0637b68b02eed29fcdf172af801ff8d63d1edaacbf9f439d4b105c779df15272920980815db17b8542cbfd8fd28fcf99ff43f0f9400cfd498cea1b1706dfcb26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df63.TMP

Filesize
874B

MD5
e5e49632d319d1a29f96268cceaa10c2

SHA1
5b3cc2109a40d52423cbd31acca6f43d0f712ade

SHA256
cb5717b772d1fe2056466b9fef600406334396876f105a9cc903566b9a094976

SHA512
524df21b3c2e21453133d5d4d2a0494105c9c065078f787ca6f81c258e305814317dc8dc07fe8855297685eb6d5cfe6a58191b95dc82bcf4cf863e82037f7cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9fbbb624ee5b80baeeddf94d7f501d70

SHA1
82eb29398b92e7cd009a6f362e89ccb51950bbf4

SHA256
6bd88ad9071f7248314b31e051829092d78b1fa9c19adf843c5ec38929af25f6

SHA512
96211c582a5750b3dd2f90b971dc3063cbb35120bef90f9f36526f879151eb1503621cffae19b00b0364ddfec1d3511f009ddbc91f6e5c53f626b2cc219aa2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4e3a64e899459cacae09badbda890bda

SHA1
59d1d7ff501834878f361877e3036160ab0134a0

SHA256
9afa6ced4f8eb25763872d5c90631e3b2148f2144b965cb0066d5b2087db6fc2

SHA512
691b47f15095405120aea0b45d6d3fbbc4219b67aba6c5e256dfa86e2369f954e628af72e308ac0cfe6a766588e115ba6e0418f0c8691cc52be49d5cb1e5d0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9ba05f55192b057ad6da346f4cf57c74

SHA1
0e2d9dbf8a03cc390d325ecc80ffcd812cdab690

SHA256
ff2b1d4497ef0fd626ccf53b99caf1cd97e3cbdaabef52d0b38e31c6d04621f9

SHA512
ebd2f925c0e9145f7ab1044ab7514a4df3ec6d6f2593b4470520f77f3d49310755106955e80e281a283b242f01a926fbf1a509e10b2f9313251b4403c4fc0eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
1.2MB

MD5
57a3ae73bbcd720d5f80f069f356fdf2

SHA1
f4056325a56ebc07aef2d71fcfd6ec8ae2e36478

SHA256
0e61f0d4b80e64313bfefd7e4f827557e9128ebdf874f2f79ad0bf7c91fb73f1

SHA512
5a48cde1cb12b5d0c4e387a3faa33673a5f18d8b5b3b057fa10dc8434621bb52917420b9bb688ae3eb03ad70ffc51d096581cfe393bcc868167ce8be312ea7ea

Download Submit
C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe

Filesize
93KB

MD5
2cf9807664b7d0f5ace5e31ef00773c7

SHA1
e3bfcaabd812d586e0b97c2f152d016293a36351

SHA256
af5c45ede02e4a641a42db4080dae57f86ddc630434250ac51925e67e28e3126

SHA512
63cc8f1743a7a3296c3d0480e7e727aa2bf8d93fbfb14b55cea53a594ab7cd8b191ba28e24827ff6b023fa8ed5ac638450e0bc9342f7a32093b5821f32e4b38e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 431887.crdownload

Filesize
3.0MB

MD5
0290ea8c6dafa9d7b57387d8ddbb49e9

SHA1
3fbd7f6c771eda8396644150fed6c40e0c9ec9ad

SHA256
6953f311956c58fbecc842f3c4346acb55b43a4d0249206c2f134575c2ea3a0e

SHA512
361f5a8a5310158086ce8a2ad44c1433e56ecad7670129f74517d895e8187c4c7524015605883d112678684c6da48d2d38152666bed178ea9bd018f42a8d0d45

Download Submit
memory/2336-375-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2336-381-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-372-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-373-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-374-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2336-258-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-376-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-377-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-378-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-379-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-380-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-261-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-382-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-383-0x0000000034E20000-0x0000000034F20000-memory.dmp

Filesize
1024KB

Download
memory/2336-384-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2336-385-0x0000000034E20000-0x0000000034F20000-memory.dmp

Filesize
1024KB

Download
memory/2336-387-0x0000000034E20000-0x0000000034F20000-memory.dmp

Filesize
1024KB

Download
memory/2336-399-0x0000000034E20000-0x0000000034F20000-memory.dmp

Filesize
1024KB

Download
memory/2336-257-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2336-256-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2396-395-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2396-396-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2396-397-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4796-388-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download