Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 11:25
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
njrat
Platinum
HacKed
127.0.0.1:6522
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilasm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 0100000000000000ffffffff NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0 = 8c0031000000000028595c5b10004e4a5241542d7e312e37442d0000700009000400efbe28595b5b28595c5b2e0000003535020000000b0000000000000000000000000000008ce11d016e006a005200410054002d0030002e00370064002d0050006c006100740069006e0075006d002d00450064006900740069006f006e002d0052007500530000001c000000 NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0 NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\MRUListEx = 00000000ffffffff NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1 NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1 = 7e0031000000000028595b5b11004465736b746f7000680009000400efbe02597b6328595b5b2e0000007de101000000010000000000000000003e0000000000a8ef06004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\NodeSlot = "6" NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\MRUListEx = ffffffff NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 NjRat Platinum Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 NjRat Platinum Edition.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NjRat Platinum Edition.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat Platinum Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat Platinum Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat Platinum Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" NjRat Platinum Edition.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2744 msedge.exe 2744 msedge.exe 4764 msedge.exe 4764 msedge.exe 2440 identity_helper.exe 2440 identity_helper.exe 3972 msedge.exe 3972 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe 1008 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4172 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 1376 NjRat Platinum Edition.exe 1376 NjRat Platinum Edition.exe 1376 NjRat Platinum Edition.exe 1376 NjRat Platinum Edition.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 4764 msedge.exe 1376 NjRat Platinum Edition.exe 1376 NjRat Platinum Edition.exe 1376 NjRat Platinum Edition.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1376 NjRat Platinum Edition.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 1260 4764 msedge.exe 83 PID 4764 wrote to memory of 1260 4764 msedge.exe 83 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 1048 4764 msedge.exe 84 PID 4764 wrote to memory of 2744 4764 msedge.exe 85 PID 4764 wrote to memory of 2744 4764 msedge.exe 85 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86 PID 4764 wrote to memory of 956 4764 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/JumperYT-official/njRAT-Platinum-Edition-RuS1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc81d646f8,0x7ffc81d64708,0x7ffc81d647182⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17670956522273219594,17284063380639967969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2600 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3440
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3564
-
C:\Users\Admin\Desktop\njRAT-0.7d-Platinum-Edition-RuS\NjRat Platinum Edition.exe"C:\Users\Admin\Desktop\njRAT-0.7d-Platinum-Edition-RuS\NjRat Platinum Edition.exe"1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\njRAT-0.7d-Platinum-Edition-RuS\New Client.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4920
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
9.4MB
MD577b83a87828704868df93a4c15c6fbb7
SHA169955655c90b8fc5778ff165b2417933560f2772
SHA2562f2eed1731f3addbd1c192ab1c82631caba60e6cba3b32aaacde4c1d75effb0b
SHA51210a3818520d774d21779dc101c9d81830841ccc8f1ceb3837e3202df3f761790ee2a8c134163062d247b7451c749446a4e6947716e470a3ab101093ed2ae662b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5e0948faca1ee6f736769b1b104a9e5a3
SHA12f17749eac1d07a8a6eb1d2624090320f7385ce7
SHA25694bcc3c1bed87f1dfe5fc5f004e0fe29d2fbbb7c1d2153d63533ebbed66cd4d3
SHA512e74edf45de3a5f9bdd8a1a20a355b0021224dfbfc7fa34e5efc8f973eeb2bbb64f0d9d5c1b3a0d8c2c922d311498357e0af2be3476a79cb0c8b24371cba8a0f4
-
Filesize
672B
MD51238540d38c0f96929922b32f8fa0ef8
SHA1c6c557c7de8e76c2fde9e8bef3dd2019cd36ad09
SHA2562f4f1656644d9a92e57004ce058ada707142beb48c4202857b4ba8663c9b95f9
SHA5128329d07e85894afbb01f7076c142286c13db51e2a47babbc822f65fdccd19a65e9d413dbc49ecd7e1e0a0e5744fe51d2ac5bdeb8105770624179b988c2c64991
-
Filesize
6KB
MD5a837e30959b0fedf5a9471348c1051b8
SHA18b59fb9096920991727196f14199d3d40a0f8b50
SHA25632c5af03982186fb22a9fe03e738d02986238c92c34b12ed23239e20e238ea1d
SHA512cd236eb48d24d13f9443a7d8b531f78a46dc9b05f36c4b37b8aa6119ca47edc1e2be9aba794af33af6d4fc0098b57edd84fd3161d8628c24e0a786bc430b859e
-
Filesize
5KB
MD5ac79ed55e6e89bc5cee0d3a808ee3290
SHA13568a6b0c82894e754b4ec071372cc570fb347e6
SHA256145ee8aacd82dc5fb6fd24b793e6d969f30a9f6e45d66f3c3641fb8d9e376b18
SHA512501c7b1754b61dca997859d5bfe478c1826beee09c9c413786b4757f2938cf6ee8ef8cc16e360acd7feb15aa40d87492b179801f611ecb5e24ccc0a1d1f2c613
-
Filesize
6KB
MD581b6d874841ba87a9acf378ccb5e3af8
SHA14bfd10ac9062e94520469f986d2cc88e80a28576
SHA2561f5563aa8e5853462c8c97e450bcb45bd94f47e7760b6addc0327e96f5908f27
SHA512ceef2ec693741d5f849d28cba2d2e3883a2ed203fc38cd2c81bcd8f18f1dd6fb6d55dbe5b297eb1c4b99abbde00d63a87a19380fe6c8768ad0d21132678c5f76
-
Filesize
1KB
MD5496958a33547033c49939b245cb5fd61
SHA1aba8427979fb6b683ead3804ac7e1d23c7f20d58
SHA256b58f80b4ec092b3b2584a098b66ab2e36dacd76b509a0619f82fd4212a3fa0b1
SHA512d0df551ad5268f2344b7e59f1b48d219963c3e44a76abc1b47360a79dd439c7602ec24522f5d945c1cdc6ecf8f849174e7e3c27b3743fc8f0ff04594e891c993
-
Filesize
1KB
MD598a1334292e40f513fc6a25147162a32
SHA10b3da34d13ed258ae34e8afa113fd286da97d473
SHA256a6dec98ff81554c48e4e577f09525cfe7b66e765c09814a846c0e273d8e2fea8
SHA512a5f383d720eb4bb7ee4fb4552d97498a102c2a5efbde34b2fc3d2cf36e7d83f0e1171f1ff826e206bac6621fc3f55096bc1e298fc64b7f1d28e112354739c041
-
Filesize
1KB
MD5c5f87c6f5ee492e0625a93785a910765
SHA1efd97c53e937a7c5bc0d8a59d5c13a633876f93d
SHA25689d8b23dc21803ef26f584626bd099855203ea5e2fc25676c7779f225ac6dd33
SHA512b61e1bc5c9b6d58664f11a33b1761cbfecf9f68e4751f49d47a2038a95764abf0a987ae10098e069dd9eb1b9359dcda431141ac8325230a803848b94f791f158
-
Filesize
1KB
MD52943cef7d1c3c6059e698976b24b113b
SHA1afd52b0ee78c72df82d55b73e71abb07406cc91a
SHA256f2ef5e6de33bc0796bb86a6b5c46a6e90d9123953b862dde5ad60fb2e65e172b
SHA512c0c401983d8d34ff457466c1c70f0b5cec865c077412dd9a94d49dbe51e7a3f9fb7d6f077daf1cec4a38c9ac9f676766c07f11506d8c99c9254af4186c736409
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f37f94fa-0653-47dd-9bea-93adeb16e29d.tmp
Filesize6KB
MD5c517f4b01f300e81ce7bc5fe999f1edf
SHA12a3f1ed821bf33a1ec89c386aab71ed983ff90ab
SHA256fe7e72ba463a67070f921561384cee10a2374b25986a7e89d3d128bd18bafa6d
SHA5128d14074bc026cf6287f83469e87794ff4b446948114d9ccaa0303b00d9f1ea83d1bc4a285c2f7b20fde89b82894baf64909a4d969d534810a9731931b85f9009
-
Filesize
11KB
MD5fcc1cae841e814116eace490f6b8ef6d
SHA15f384ae06ccf6accbc84a6c445b6a2c6cad4f858
SHA256d431b0dafc4e3ce509e8af7d7d21d49685f11523b7b30d61efacc77f9a280309
SHA512db30ef02ff2e7c055434e801ff09478ded75beb0b273cd0c95463cb9a7e01f858df76f5836dca57713be2b18039bf481a8a14e1baf2a1f3fc9328a2c00e44a04
-
Filesize
10KB
MD5f81e49db8e72d335d66bc82e6e075190
SHA192732a790eadbbd8cd5d9247a744d99759a98636
SHA256aeb1edaea6a806a9882394c0321bf2227395eb1e22dcef511507b8f95133be67
SHA512424414fcd933e6fd7df8b5630873352c3760b0b9d81a32f9b0d0efbacc9d08cbb81753cdafecfe3881dfdb0171e5c71fba68d1a0eba4e2aca79527b4e1eab1ca
-
Filesize
10KB
MD5fe90f4f53ff6aeccb9077e25c46917a4
SHA1ba60b86f00abda2e383eed0a32cabf56e95f5bba
SHA256015b5b152d4515c1a1a96366c45c911812a22b5015d3df25b7d69c0bad9d9491
SHA51285e6ba5da9a4e6639091fe7ff0941b3836e75cc89e7c1adbde7e7b0d8b2c3194f72f97ebcab0edd21b0cd24181ac67a730e7ce03736653dda61390d41783e70d
-
Filesize
659KB
MD5408bb6ddda61aa344f5b19e65a48112f
SHA13c06cfa81f6a9c003731b87aeb5651b3aca8d5d5
SHA256dfe447f931cbc7436732b144b01345ab34b26970ccb02eff73c4b5c3f159176e
SHA5120c2187596edc5842b61227aec69e48f19e2ca06880398a76e17edf65557fad17dddf04b83e36e6c604ad1a2d573b05dde7acdcd831bc01e31e1bc893bb098a24
-
Filesize
64KB
MD5a3ab6e5d71125137f5a72e80cb39ac49
SHA10a41ad001520ff8bb50d3890c0f755f969dde53c
SHA256462136b4ffd140bebd223cbc1a6a81774f5e4eeb4b892d00f42312bfc5599902
SHA512cfc1f30e52675446c9f8607b8ce7c1675133bab631c40114dbb1d0d61441fa4611e2709e510b283b59d330315b4e157f61fa6585696973c8710069aea198bc6e