njrat | hxxp://w

Analysis

max time kernel
1200s
max time network
1201s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20-09-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://w

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

127.0.0.1:5552

Mutex

165d6ed988ac1dbec1627a1ca9899d84

Attributes

reg_key
165d6ed988ac1dbec1627a1ca9899d84
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3644	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
680	Server.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Green Edition by im523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Green Edition by im523.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NjRat 0.7D Green Edition by im523.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Green Edition by im523.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
2208	identity_helper.exe
2208	identity_helper.exe
4856	msedge.exe
4856	msedge.exe
4972	msedge.exe
4972	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe
680	Server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4664	NjRat 0.7D Green Edition by im523.exe
680	Server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE
Token: SeDebugPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe
Token: SeIncBasePriorityPrivilege	680	Server.exe
Token: 33	680	Server.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4664	NjRat 0.7D Green Edition by im523.exe
4664	NjRat 0.7D Green Edition by im523.exe
4664	NjRat 0.7D Green Edition by im523.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4664	NjRat 0.7D Green Edition by im523.exe
4664	NjRat 0.7D Green Edition by im523.exe
4664	NjRat 0.7D Green Edition by im523.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4664	NjRat 0.7D Green Edition by im523.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4992	4604	msedge.exe	80
PID 4604 wrote to memory of 4992	4604	msedge.exe	80
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1844	4604	msedge.exe	81
PID 4604 wrote to memory of 1408	4604	msedge.exe	82
PID 4604 wrote to memory of 1408	4604	msedge.exe	82
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83
PID 4604 wrote to memory of 1428	4604	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://w
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffc8bfd3cb8,0x7ffc8bfd3cc8,0x7ffc8bfd3cd8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,6813838724731053049,10946120055494736551,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2040

C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat 0.7D Green Edition by im523.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4664
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe
"C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:680
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d800e9be83c337de3d932a7e4af4c7b0

SHA1
cea21b8e10b7ba978cc7af6b19b5c9030ecad60a

SHA256
eb694fdb2446f4c1829d3aa285c3fef39a7d3aee4205397e152785c782a32867

SHA512
04724ae49edef011076513fc0d2aa29c2c5377677d5570b33b7e464cef75b1d885749d3ad9f84ca090ab2b5b0ebf3f5cafd1a6e963aee4cf0fd7485d05f83d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e070e45dd447b5927664ea7eaba22e4b

SHA1
1e39781c660c3ec9098f4ba00b3a7ac7888f5bae

SHA256
a653023ef1f697633a2fd821dc9212c718fbae17cb882048d96b4c47893d3153

SHA512
5ce5b25dbd87359efa0117830564c7c0ab7609b250527e77262dca6bb9681a9752858bf8c1f43ae0fb0d88c653fbc8a0dd6b0b3515a3fb9978e9d10cc4bb4b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
02f556dcbcfb60d6192fcc4100904122

SHA1
7558942d17cbcd9d7a2b339069ab5e258cd6a201

SHA256
af5437263878d8f7d577144333e6ef66dd4e72f32c829c89c599a4f3cda59146

SHA512
63468fc44f4bad62554c461f24de57efd72dd5133cc7de10c8e9119371e3c5a012a0886bf8d7b94ccc32dbb1ade27f02c82613ad5a1c33e8bbfde253f01ded46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb328c970f1d7631ac0f1c501d8ef04c

SHA1
920d518a4e42092eac36714731b498cd93d53406

SHA256
25f8a4f9b32c2592644de6897d3cb3b879677d89d292034a232a9d0cb37a9950

SHA512
da75ff6b18d9e2ecbdd9422afbd6c49fb4e9c3aa3f15ad1810d55b077fef13602f7320081f0d8c7fca15e3704e092746508f27be7aa3c5b31f8f50376384f857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d99c3ce9c71d1bfbc05454140257ede3

SHA1
0613969fcbaddaeeb8ad8baff92138c02d3817d9

SHA256
ac0be2828f30943b2d80c51bea75d943ca702858f4e6adcfbebecbe21c5df5f2

SHA512
1b22d05ec77329d0f504d555c415c9200fc43540beaa17fc1cb0836259e3ecf3bc04559ba077407b05cd115ed5bfe557db68f78aab7aace3c05992e6e77b5912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a74bf06059953bf7c9826a720fac697

SHA1
6b515eedb3b969f4c0ef86678dc11dbc60bec4c5

SHA256
4ef4a50df4c4dbe5529272bcf9d42589717c73a9b24d9b9b19b4522cfee18f03

SHA512
8c3b465cd7c77d75a905f7c512249b684fa2271e17ca281155502371de0b573ea5be217022ee59ec917cc4b835a5d5ce5d173077e5e10b51f5551b7773df6ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e89b.TMP

Filesize
1KB

MD5
3f5d3b2dbadc0524a3ebf9aad6a039d1

SHA1
1d82677e233dd0be8377536ec60333f186fc901c

SHA256
5d437d5c81dc6b36d3d6068bd75584b7c565f0779bf05cbcb4176dfc30ef8837

SHA512
f1b5c93f46211f84f7e225c76a374ca1feae70c6dbe8b5c11d6e0cf8852927b9e01996fb49fdd1107c087c15da9ea7ce06e24a6e95aff413075549e515cc6e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ad68887e3b13be8492f2865509acf66

SHA1
68e1194c20024967b2bb9b6712bf23bebf579bef

SHA256
c61ccfcc7a344e93d655ce8e625e367689c9f13a9c16780fbbbb24020f19028d

SHA512
6ec35000471a1f3673d674e212b37fd5ad0ef6248ea4792dec859ba7dae77b3095fdfac7c2fa44e986c4ee07656b634cc02f6c69ec5826ac9eb4a8fabcbc9469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
576a17ab8030d0e95a4b951c8b7ad608

SHA1
f07f0e2b3e3bc4960af373410fb8ffe256ec9eb4

SHA256
c1fb68e07f453df27037e884a91a0932eae267951574bf81338962d20f0dc775

SHA512
4764e388ada8328cfe7864d91763230fe1fbb569425a22e2a80aa7c099ac6c8075adb62ebcfc97b24b4bb9f3690394572892342b34483857e7f4f846f076f604

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
399KB

MD5
8c535860a3e930693bcd0b3208420543

SHA1
7c43801272b18ac958e6099567d37bd93150109b

SHA256
8babcbeaab9bb7b31e4c7bf6ac9493ee5ce154bfb46cbbec9c5b7744bc799b91

SHA512
1fbfea733375df9c4cf737544e73f3216608a5c50443f480ee24705f0a0e4f21cc88b8c1f00badd9716c67ebe31a351890b72eafde784cdd46e5a5533b3690ce

Download Submit
C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master.zip

Filesize
2.8MB

MD5
77ddab4d4d6660d37e196938a5cc8979

SHA1
1401c14fc8b6e1cfd3d27ae1221e3868f5d0bcea

SHA256
eb37f92d1b15e9fefd836b1dabac9ead57eb279b1744f9ca51622bb608b05f86

SHA512
3797bf795a4554bac2f0f8ff21bfc9a6b9a79378c1cf89a8247f2c2905975dd34fc6098b16dfbde348f3384e805b88ed639e35a919769579d37cd9a94bcb5ca0

Download Submit
C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master.zip:Zone.Identifier

Filesize
106B

MD5
162a76888e2fa3e5e0e934aee4520a05

SHA1
c1d4d6fbfb03f32591f1aa2f1be2a43f69e8c585

SHA256
0be30ea45af8abc193809693ea40596716426ff904bc9c4276ec5717b41c1f38

SHA512
a00367fb2ac8d50e86c0af98517b3b9fa661b3d4ad40292b4c09a5115eacfa19a34d4cbec4b76a436698317518008160ed55296a586b51671effea29edaf6921

Download Submit
C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe

Filesize
36KB

MD5
f4ac80d3b88e5c25a0e78b8c776217af

SHA1
5fceb6d7ac6fbbc8925703140201c92eb13060f0

SHA256
f6cf5d334132b488530e4b61293002c9a4eb7c2f7d934763429f519c8625a76b

SHA512
20946ecf8cb92e95352ce64fbbcd5a52d9f6b80fbe0e6dd97c0c0cb9daf170f87adace806bd4e80393011899658700819bbb0e8a906b37c9165b1cc476160106

Download Submit