hxxps://fullcrypters[.]net/njrat-v0-12g-by-dx523-golden-update-2021/

Analysis

max time kernel
83s
max time network
81s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fullcrypters.net/njrat-v0-12g-by-dx523-golden-update-2021/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-801765966-3955847401-2235691403-1000\{476C3290-9B48-4FFB-B04E-9198E27FCE81}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0	NjRat 0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	NjRat 0.7D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	NjRat 0.7D.exe
Key created	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\njRAT-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
644	msedge.exe
644	msedge.exe
3080	msedge.exe
3080	msedge.exe
2624	msedge.exe
2624	msedge.exe
1068	identity_helper.exe
1068	identity_helper.exe
2508	msedge.exe
2508	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4604	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
1740	NjRat 0.7D.exe
1740	NjRat 0.7D.exe
1740	NjRat 0.7D.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
1740	NjRat 0.7D.exe
1740	NjRat 0.7D.exe
1740	NjRat 0.7D.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	NjRat 0.7D.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4708	3080	msedge.exe	78
PID 3080 wrote to memory of 4708	3080	msedge.exe	78
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 2068	3080	msedge.exe	79
PID 3080 wrote to memory of 644	3080	msedge.exe	80
PID 3080 wrote to memory of 644	3080	msedge.exe	80
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81
PID 3080 wrote to memory of 4364	3080	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fullcrypters.net/njrat-v0-12g-by-dx523-golden-update-2021/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe8,0x104,0x108,0xdc,0x10c,0x7ffeeafb3cb8,0x7ffeeafb3cc8,0x7ffeeafb3cd8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3125702371470445786,17126065636479717085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5092

C:\Users\Admin\Downloads\njRAT-master\njRAT-master\NjRat 0.7D\NjRat 0.7D.exe
"C:\Users\Admin\Downloads\njRAT-master\njRAT-master\NjRat 0.7D\NjRat 0.7D.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004F4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54caf18c2cda579e0dad6a9fc5179562

SHA1
357d25de14903392900d034e37f5918b522e17c9

SHA256
28d77529de92eb605d8afee0e133a7d08e13d4386e5e38d63e2da34623eaad6b

SHA512
88da5a33df9d82408afb8344ec7dbaf7686435fdb55eccfb85d5560f39861e84cef5d71949d5efe7a191778e6be755a8448f3fc3d7043007037f9f5227e10210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
696ffba7b83ecf008523e96918f200d9

SHA1
970d90e22c8b3674fc33cdd1913c51ef28514255

SHA256
dc6dacd725d7385b2e4db1f488d93f2840d2289efdaaf3737849304d1ab9ba34

SHA512
f8528683b70b58376f3eba3338fa6b462c9e9248c72524573005cff6397a0556bdcc2fdc2ebb020ba8218bc8174ba552002f223a245dfe3d3688826d24d63237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c514e04244c150ea49198458c9c33d20

SHA1
8e7eb902f7c40c65763876859decc02ebcb913e3

SHA256
14284804d4b21c6f573458310b551e2ce4c0a22800405d2603547211d11a55ee

SHA512
714fb5bd4906036d2c544449a59b682e1932e8caf09b73a3ba7627ab478a428139d9724af8d80a70fd6386436ba74f91694aa26d4a57bcd97d5d0f8b3985d185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
091d9452f13dc9051da46e3a1ca97feb

SHA1
96a59974ed3d0671c8309da98e20f74455c6e067

SHA256
eaada969b8ab22206bf868a590078d400dcd2edd35a11a09bd01ea059b161578

SHA512
be1764f3e4d7eba52ef0d1e2fb7675547ab2fba24a9e1eb57c878cdc4dda441ff658750bf372203acf07e850d2740cc3012f4f9b6e4dbafc4b3e62a71a8b61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9f0b8c47a3b01f5c3454317e60f0829

SHA1
bf8d0a5163fdd6708476cd3d73d360e18e27b048

SHA256
454d887de6c7824bb356c68d9ef4207fee5c6a47a04156f54f29180222e2b6c9

SHA512
e99c2eee8fed4bf3cdb6ecf57bbf8973195d532c5e36fbde5b6df6463fd11b80fa9a0bd6a79d05ac6d3d26804123b7904c0391fa0c5f52c099f311b1dad50292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c693fb1b2e918a4760105bf10cb57be2

SHA1
269559ee1ff9dfd0dc7873b7fc33c85769465a12

SHA256
34c94c64c9016c469c9fd7418abde39fc3c46737a92fcc925da8573bb84611cf

SHA512
2630f9f279570588c0abdcf00da62d0a717bbb10279033313e513e4b1a1cf5e082609c81141a1547f3dcddbb2acad3ca703262a52a5febafdba6b1aa97a65115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6d23b145f09399d7574678405b4486dc

SHA1
3e8c81e8fc6814293630580045d66ddd313d4e7c

SHA256
7bbb8e6165bfcbf997256707a20455d27aa436bf25c7e1706db811e8d9e5c0dd

SHA512
a8afaeb666ff14b446bcfeb4a80bb8dc2f3075d0510da9d06c0fae149f61159ae9aa24f6c5c69f944b1f94ffc35dcae741ece0212e572ba3dbe79f0a47f42aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd97f8653e1fed81d5d5e063fb9be9fd

SHA1
1f5bbf99778af749da62a64a3af19393807f759a

SHA256
dac982c509d13f0537124b105f21e793cee701e2df9c5f437e52560fd6c24cb1

SHA512
d3d451076b04d71d0b36d18d49697e90bf5624cc6d27a9f64d2fb823020cdd0e1e99e3dc7e0e36f8bce8be4e06b323779dbecf570bfe4006197c540df8452082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bed2dbdeb0d450a1ea0a53fcaa9e3906

SHA1
f8a56fee7beb4b65f579ba8ac0fdf90ccb4d140d

SHA256
33a5742b66e6be2ec20257fd78017cd3c76cf31ef10eb96c797c85b620682a8d

SHA512
76a809e4fe3f9098081f8774dc293ff4085c404adbbf285ab7ebf08af71c818624ac36e65dea5862db1b6e1e7aa0e3f7f06e19a9d9036baa6ac6b02c27c39147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c498.TMP

Filesize
1KB

MD5
b217a7ce54605c0b3079f7572d44f5cd

SHA1
7250d6b520e191425fa08361bc89378daab655de

SHA256
abdefd7baca2404b404fa1a84dec7d802a9411319725b5a1d2c01f532b11fdd6

SHA512
1fdda82506c0e16f3e05b5c1ca17ec8b64937640117d7b77031a3d248dca0186d60cd06fcb31103b8327ffe70e7e55d779d6a3a642c8f582d538d0dfc4b3b13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff9decce12cd51af5f17e18dd4a3f4d9

SHA1
06f50ee2db76d629b715a3e7223115d1e9755067

SHA256
f85303ba928206f16d46309f4ad932a651451171f544d774f961a4d156c0832f

SHA512
0dbdddb43fce0d9a536a24997e4e88d6f6fdc7983dd72cbc70812963cd362a9d370065f1c1bac72e35ef60525573eff5608928f5f706a7a892b5301b74e3b7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6677e35e02b814fae40f506043f25f3d

SHA1
06d318f6b4463ab85e1b7e1f156f2aff7c103b91

SHA256
1c1c43a3fe174deb06fa5d0b5c8bbec5ea242cfaeff75d400ce477cf5056daeb

SHA512
d46d5d810e23b762573266fc3606eef9aa3173cadd7d0e4510c0d008fe3c4c3376431cde4818088bc3e35df5f951fdaed657fecc21f8fc9e20f0b903bb68f00e

Download Submit
C:\Users\Admin\Downloads\njRAT-master.zip

Filesize
46.0MB

MD5
6318adce1779a328fdd8e33dbca7ebaa

SHA1
00e05604d7a40efb70818e692f004066577518d4

SHA256
5cad0f0bcb8b6167a84e7b2b6c355eccee87ca741befd37fa6a61a5b82b18e03

SHA512
35f76dde85646c6a325d6ddefc7c584214fe7a42f1db453030a65d9baf75601d2c29eb39321c43573ddf7260e6f3de96812de5af3a76f9af5d97c6001574ed7b

Download Submit
C:\Users\Admin\Downloads\njRAT-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1740-422-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1740-421-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1740-420-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1740-423-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1740-419-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1740-447-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1740-448-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1740-449-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/1740-450-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1740-451-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download