Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 13:41
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
127.0.0.1:5552
90cdc4299e3838b5249c33e1c7a2dd25
-
reg_key
90cdc4299e3838b5249c33e1c7a2dd25
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1460 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 672 Server.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{17E513C9-D4AD-11EE-B8F3-DEAAA693D5E5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0000000001000000ffffffff NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" NjRat 0.7D Danger Edition.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3708 msedge.exe 3708 msedge.exe 3064 msedge.exe 3064 msedge.exe 1516 identity_helper.exe 1516 identity_helper.exe 1740 msedge.exe 1740 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 672 Server.exe 3472 NjRat 0.7D Danger Edition.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: 33 3348 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3348 AUDIODG.EXE Token: SeDebugPrivilege 672 Server.exe Token: 33 672 Server.exe Token: SeIncBasePriorityPrivilege 672 Server.exe Token: 33 672 Server.exe Token: SeIncBasePriorityPrivilege 672 Server.exe Token: 33 672 Server.exe Token: SeIncBasePriorityPrivilege 672 Server.exe Token: 33 672 Server.exe Token: SeIncBasePriorityPrivilege 672 Server.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 64 iexplore.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 3472 NjRat 0.7D Danger Edition.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3472 NjRat 0.7D Danger Edition.exe 64 iexplore.exe 64 iexplore.exe 5024 IEXPLORE.EXE 5024 IEXPLORE.EXE 5024 IEXPLORE.EXE 4020 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 3184 3064 msedge.exe 46 PID 3064 wrote to memory of 3184 3064 msedge.exe 46 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 4160 3064 msedge.exe 88 PID 3064 wrote to memory of 3708 3064 msedge.exe 90 PID 3064 wrote to memory of 3708 3064 msedge.exe 90 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89 PID 3064 wrote to memory of 4308 3064 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/simalei/njRAT/releases/tag/v0.7D1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaad2646f8,0x7ffaad264708,0x7ffaad2647182⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:22⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,6334091553392957585,8239136935818588337,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6000 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:64
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2200
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4bc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4240
-
C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe"C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\NjRat 0.7D Danger Edition.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe"2⤵PID:2336
-
-
C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe"C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:672 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D.Danger.Edition\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1460
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:64 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5024
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a65ab4f620efd5ba6c5e3cba8713e711
SHA1f79ff4397a980106300bb447ab9cd764af47db08
SHA2563964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76
SHA51290330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9
-
Filesize
152B
MD5854f73d7b3f85bf181d2f2002afd17db
SHA153e5e04c78d1b81b5e6c400ce226e6be25e0dea8
SHA25654c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4
SHA512de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD50f4f24179d64a341d08da99225064b64
SHA130a94ca96fa4c734657c9fb15330f2ded2b3f1a9
SHA256a292879d61fb2a1f0ebd462074b6bb0174fc749cd5abe460f5a2b7b03cdf50bd
SHA5126a6be6d00734a458e9bbcd7fc8d832cdb2f9a24400b84c30e81bf8c425f0fb173e105b3c9f53dcbec34025d31153d4b6461ecd40e733b6f50d957ab5ebaa6cc1
-
Filesize
4KB
MD541bdda386618dda632a6743f351db27d
SHA1d0e306846ad70de9216b8a054eb9d55da8224697
SHA256a1edd880686523f3c282ee651f9d4ddb343a31aea38c0df632861a9698c73b58
SHA512211eab2253546c96c61865b5b643c1c8ffab8401b250d6d79369a4bf9bb2165b304e1efbae23a3ea8640eabb92eece96cadb4ae9252ecf919c70b6fd99a103f8
-
Filesize
6KB
MD5bf763cd71fb13e63661b323a498e9242
SHA1595d1ff997e0ce3f657b6a1015dd0a8b26d5fedb
SHA256c26e4ca8182f7b45d1c607ce6896c9335d7ab5929499bcfd9cda9c565a7f2125
SHA512a5b8b1fa087af2c8d5ca5c64f08b6da7765fc0fd5a9cf2d2a549394021f21b4e60c666b8de3e967dbc05f9fc50a9c5d0a1e6853fe5ff2de5203bb9173ad5c4ab
-
Filesize
6KB
MD51388a868da7fbdfa07a299355698c5d8
SHA1a1cbac213266f5c1eac9962e0225d6acf1b04c0c
SHA2564b172a9d3d9a8dd3c9785d72a0c078fbafcabf41b72679916ccaf654bacb534b
SHA51228f1d0e55e33300f09f8f7f0ba1cb5815d32162dbee4eaf6b7a7172bd9f3f473de13d578dfa11a01e789f08dc6bbb09b03fe5922af0810858fd161698c1cb768
-
Filesize
8KB
MD5d88e05009077fdbfbac27012b874c2be
SHA191307a3e455f0ac161d0b79f8d70def354eae8d8
SHA256754819c5ad2d8ee451cf79a4d0353da802d300c543f6eacf83acd990acb2114f
SHA512ea095fe85c9b7381c7af7acab059741513cd1373f7f0b9f65309f037680c66706316004b933052773fcd47c1734fbadd8341d08097786e2d1e7d9eacc2de2823
-
Filesize
8KB
MD54afa03308ee3b07a10ed19ad270c61f6
SHA1102fec64f953b53a3826bba889f780ea533c6c49
SHA256f762edc7538c1b9e585ece0017504b729cad2fa2b4bedf25331be24c9dab9f82
SHA512db7b141f8d1fc9ca7effaaebbf280a79234eb780732d5f62c9fe42adc37acb5e8984844bc2b8e7340944bdd76b2aa025a34074747eba97fc7b959878a25b98e0
-
Filesize
9KB
MD526cbd43379ddce8fabffe926219cc880
SHA130f6b275cd8f77d9ace075fd638600ac22b9c7c4
SHA256842260fad71745f23a93223cb04aea8f40e76d06551adbb6c999ae101cc243ff
SHA512abe1d3234dd1f69154a8a57196c8f0f3973166a189d9825dd8e475b4693d418cd7dce84ba980446ba6535df36f55cb8fe99c479ecf2dfb287f1172b571a17460
-
Filesize
1KB
MD51424fd17f61a3252993ed6cb1f201496
SHA1d807a4aca9e87db76865629511df78f45f5dcec2
SHA25642bd2c15d250fcb6309ee4c27b0a2ed092652447750a62c6c328d6b63068de04
SHA512cbc1092cddd8e64705e29e0ebd50f3b7d28c09e53495333664edcac482103a9e9cd1ad4188c42878a04655e0648d388204bd7ca493d88bd6cc8f3b6918926ae3
-
Filesize
874B
MD5cc7970f547f5cc41515c234c47dbe0b5
SHA1db0a13932bd1f8edb7a85dd7a76917c06e734355
SHA25625653efde7dfaf9e5bb14f736f59808972a7a7d0defa85e5c985aa8911916e50
SHA512fc79768303e45f6b4cdc665f955faafc6c83609bc02af0f7f7a9722c9e01fbf8bdcb671b483880105675129e14437df48b5aea2b4be06392e922f8aa0c4ba7dd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD599c8cda2e0f9278b1989cf5625e85e80
SHA1c8b1282e31c04f156ee109853cd8f2d65f469340
SHA256250d78a3052f90166bdc4f33deed410486e943cdb3e4c3420b392feda5c33cac
SHA512aea505662d4b903bff76b0085f523793c6d6f84752ce32047fd7473a8b2663221615be60e77fc4f57e9c02d007aa3d1d85bcc1bdb28874525c7aeaee6f819c6e
-
Filesize
11KB
MD5574d800927131f17ee1da73a2254b9d3
SHA1e31bf0e81478d8672ffed787aa43100d14cba144
SHA2569118f5af20d67617ca14430cac1972266f8da213d5ba2378e2247644e8957658
SHA5126ceaa35d260026925b2d1051a3db9d5fa97aa0dd4981861ead010b60c170a8b636df10e9d94032f732a649a04755b5b7085d0817ca705520f4467e3395b9bca7
-
Filesize
1.2MB
MD5becb6303daca0596aa6f1f7cf75d87cf
SHA152d6d8b1f85c5b26674309605938d998b8e98005
SHA2567d7faffafbd91aa09bb2328badbd3f350841522678af0008740d2f5059ca5a8a
SHA512c5ebc6fc57da45f14a269f82a53043c36437b8c74c286c8d6af19910f16ab761b50014fb58b3051981a3c91cb38d8215ddf1161de684d2c8aeb7ee8b6843a714
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize12KB
MD57c0d2818a6ea9d32e20f9d9331673877
SHA1fda64c068f7fc06de56a8ff17d03998ec049ac41
SHA25631b9a70f38c3a4db45f536de252ce4e4fb6cd8c98e04e922ae97bea7bc406b6f
SHA512703f9085071bf9bf7cc96621d2c4860bcec51c32420dc7692714723285d799eb9bf9a8b7e84b3d122649aecfb505271dedc18c0b863ca3e6ed9f9c306c78c698
-
Filesize
15.8MB
MD518b9e23e509ff221ebb1b8a0ce4bc82b
SHA1bacab6a415515e94b3083c4f7ebda6a82e1d4c7f
SHA2564b649c32035e383706673ffe6471d6c711989a206d6f96fdd905dda207a5f0cb
SHA51226091095397f3b229439bb4838f3321de63b9084beab20391a3f85fa8038836d9d0a96a44c7de1d860b182d0b072e0c752494201eb50fd36444cfe742d310ca1
-
Filesize
93KB
MD50f886f7a9df270e595cf4ad757ab1b90
SHA1336666900e887d14518bbfd65570543042c555ca
SHA25654a01650a51502250987182cac31728301c233b223505dde6577ab635fb17315
SHA5123d13e7d1454718f458ea1341521a848125d8f9bbaf9a515836831e0cfc7155bac0564010803ce90d5cc1ccef7a15c297bc1f4a88965824dba7acd2e3d4e2694b