njrat | hxxps://discord[.]gg/3gbQD6jK

Resubmissions

07-10-2024 17:00

241007-vh3a9azgnj 6

07-10-2024 16:59

241007-vhvw6sthld 6

05-10-2024 20:06

241005-yvemhawdlh 10

Analysis

max time kernel
380s
max time network
367s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.gg/3gbQD6jK

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

b4a3d1626d9951bfdb538db02f975e78

Attributes

reg_key
b4a3d1626d9951bfdb538db02f975e78
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
392	netsh.exe
3568	netsh.exe
2136	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4a3d1626d9951bfdb538db02f975e78Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4a3d1626d9951bfdb538db02f975e78Windows Update.exe	server.exe

Executes dropped EXE 2 IoCs

pid	Process
1884	b3 hacked client mc.exe
4188	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
9	discord.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	server.exe
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Danger Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3 hacked client mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "135"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\1	NjRat 0.7D Danger Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Danger Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{1AE3959E-AA99-4B20-A07B-599DC0B55FE0}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Danger Edition.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Njrat.0.7D.Green.Edition.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NjRat.0.7D-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
4716	msedge.exe
4716	msedge.exe
4936	msedge.exe
4936	msedge.exe
944	identity_helper.exe
944	identity_helper.exe
3888	msedge.exe
3888	msedge.exe
3904	msedge.exe
3904	msedge.exe
2740	msedge.exe
2740	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe
4188	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4412	NjRat 0.7D Danger Edition.exe
4188	server.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2336	Process not Found
2952	Process not Found
1012	Process not Found
1364	Process not Found
4344	Process not Found
3756	Process not Found
2856	Process not Found
1680	Process not Found
4700	Process not Found
2036	Process not Found
224	Process not Found
3100	Process not Found
4868	Process not Found
1080	Process not Found
792	Process not Found
2072	Process not Found
2192	Process not Found
2000	Process not Found
1884	Process not Found
2424	Process not Found
1840	Process not Found
4804	Process not Found
932	Process not Found
1436	Process not Found
360	Process not Found
3936	Process not Found
1732	Process not Found
892	Process not Found
3424	Process not Found
536	Process not Found
4460	Process not Found
1644	Process not Found
1176	Process not Found
4212	Process not Found
2540	Process not Found
1844	Process not Found
1628	Process not Found
4532	Process not Found
4416	Process not Found
3988	Process not Found
1088	Process not Found
1460	Process not Found
1700	Process not Found
896	Process not Found
1484	Process not Found
436	Process not Found
2616	Process not Found
3192	Process not Found
4852	Process not Found
4168	Process not Found
2448	Process not Found
3196	Process not Found
3516	Process not Found
4436	Process not Found
1864	Process not Found
3560	Process not Found
2228	Process not Found
1508	Process not Found
2920	Process not Found
4608	Process not Found
4832	Process not Found
2372	Process not Found
1772	Process not Found
2864	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: 33	3152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3152	AUDIODG.EXE
Token: SeDebugPrivilege	4188	server.exe
Token: 33	4188	server.exe
Token: SeIncBasePriorityPrivilege	4188	server.exe
Token: 33	4188	server.exe
Token: SeIncBasePriorityPrivilege	4188	server.exe
Token: 33	4188	server.exe
Token: SeIncBasePriorityPrivilege	4188	server.exe
Token: 33	4188	server.exe
Token: SeIncBasePriorityPrivilege	4188	server.exe
Token: 33	4188	server.exe
Token: SeIncBasePriorityPrivilege	4188	server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4412	NjRat 0.7D Danger Edition.exe
4412	NjRat 0.7D Danger Edition.exe
4412	NjRat 0.7D Danger Edition.exe
4412	NjRat 0.7D Danger Edition.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4600	MiniSearchHost.exe
4412	NjRat 0.7D Danger Edition.exe
3168	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1252	4716	msedge.exe	79
PID 4716 wrote to memory of 1252	4716	msedge.exe	79
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2064	4716	msedge.exe	80
PID 4716 wrote to memory of 2436	4716	msedge.exe	81
PID 4716 wrote to memory of 2436	4716	msedge.exe	81
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82
PID 4716 wrote to memory of 1772	4716	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/3gbQD6jK
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd250d3cb8,0x7ffd250d3cc8,0x7ffd250d3cd8
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,5253045194719304895,18426783162016453339,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1416

C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\b3 hacked client mc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C UPX\mpress.exe -s "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\b3 hacked client mc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\b3 hacked client mc.exe
"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\b3 hacked client mc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:392
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3568
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\Shutdown.exe
    Shutdown -l
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3292

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
27KB

MD5
17b6743977bcc7a7bb29fafc37f142d5

SHA1
a06d514d3d380b8c28696bba059c62cfc54deaa2

SHA256
7475e9358cc8ec5ae95b1b485ae0f5dfea9f22c375f9ccd1107b53025f71e3e3

SHA512
1696cb3834251d9f4c1a2bd5d884d06a5efe2b53e15834f9f78d60bfb186977abedb007a37eedf3a23b9347ee44853c1c715fa50faee04b9bc8cf0d3e712b5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
3.5MB

MD5
e92757fe498ab2589b04d5c5c0147d9d

SHA1
b050397d7e6c826a71038c1d9687a4f13515804d

SHA256
389b0402dc7e8a6e361ccdf332beb41f57f4d40b8acdd3d3493b87555ee8ddd8

SHA512
a6199d6fd416577935504ea2760ecfbc693c452c36583614c614a195f584b3ec1186b76d228977e67e259afc1546c88c96e64ddd8e235a42485a2235322dd183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3428525c49dbf59560cd3b8343ba6109

SHA1
1e397b6b544e11dc1f65c8da3514f336a8007fbc

SHA256
12143a63f3404d80d2e287d33c93073b9b52eb76eada4e234bf63a8a135ec5ad

SHA512
d3ba60d2c01d8dd4020eafbb5e6eeec1fb717387af3b7a23bbae47ba8935099ffb2afd01f4c1d71309dca230bc7e8a44932e0378112a8775fbd1f3c1d4e77132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c3add048c328fcfc794c92c7c3705312

SHA1
4c256a1d6eeeab152125f4f708dfcd9e94dd71a3

SHA256
f21eee0d3f96e1ad4602572b18766dfd462313cecb5e3dbe437f7dee8a98a663

SHA512
e33629f86f5ad91ad48d5dc58ede9890493fff3e99cae47f73b5baa754cfa1745e8c9cb14d24ac628d3a51e83a53f22cab72e5ee8416d01e9d1c35be63129ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a925cb28dbe3a0badec1fe3a0e73ced1

SHA1
140ad5b40d52e9277d4757233471ebab9befa6a3

SHA256
c60740919cee46255bf71771c59ec0fb1982d370a43d4007b6faab757df79f3a

SHA512
783e84e05fa52783a0d8138cb8034805f2776e08a273692ea7957af6a729e26ca1c419d32ddec2b82d33c20f2f883df4b82b5e2d54a5a35f09690fd21bc5eac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8fb184750407369a05739d3560d6aaa0

SHA1
3fae333f19fb5c0abefd9204746b2c3e68a51bdf

SHA256
f0cea16037f31d05e389db5184920c959c39d4f66a6315ff5d48758d8d718851

SHA512
5346833984ea45e26ee39d7ab6070db6f7d08fce0f43dd135202b77e4f09b85ebebb1cb2d150fbc4cb535c13f1a6001d1da0dd01d70d9b787b9c70c4d34281f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2543d77e83d142d6a2b6f12cf3220666

SHA1
4e80d2a62e599b7cad745c2bed7ef917ecf11c92

SHA256
77868cb98ddafa7d0e706cc8f19ec9e0dcf894a23838a3e1593a55ff2e629c73

SHA512
f2012b5a7948e089c215aa3397261a92225f621a923ace8191a1333cadef6b21b6e2268df872c6d4d98af72a6b4e45fc57d96a9c7d250de5293cea0b87d8ea0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f36787854befc20a142da037eba5f27

SHA1
8ccda5b8f2be9f541c033ae7a7bb671d05914655

SHA256
a5311671b10dacc83292d4d1c9c7539cb11555c465314afe17058fd3060b3f7e

SHA512
fc2acdabbe22facfcc28137aee10a5d81aed756ba229385e74661655cf31d609644cc293d0031360bc874c24489059897e67dcad5935025fbbc8674031f882ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3949817984a5fdf26b460edce557eea2

SHA1
3db5e05bc6ffcb1fd9a07dea7d9e33cc010774e7

SHA256
9e8dba1816a1c48664e47a3027f407ffe83603f7c36590e577d69e9c2c94048a

SHA512
2b77761cabd3bcd20fc0ce3bb9a81a8edf1affcfe394dbe1df5f5292748098d780ab52fc140cf676ef0255ae96d6253296959d1c12fd8d2015be83aaccf70d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc11bbc835d0e7ad40a7c4c1c9428334

SHA1
cce4017dbb00d2d0647405b69512b6f3860697b1

SHA256
f3452866fd0c3638b8799e8f4ada43ad5d17eb535ebed2aca6ca5f353213cb9a

SHA512
877270cc400701d0caade81559e5b51e8c2b1ea7f40d3c47cc1e1cfaf7449badfc494fbb9e1ce5b16099d259ef390ac54c04ba0d807df6576d8474870f63baa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff84aed42c140199f17550da5f37cd0f

SHA1
80b082dc98257d524ff1fd4a07414189e76c46ac

SHA256
f62f01943264876ed90431b3b749369e445e450c671b9cb3f02c62c3885330b7

SHA512
07fa28006b398f52edb140cc18bd1813a08e0ab115aecc4ce59bbf4a8cffedf1a1f8becd7ba2e57586abf6005269b2aef3a92bcd8e881598d6855bec35599437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b7327912cf484b9856f1dfbd21a4340e

SHA1
ac7b594551a545fba9c80eddf045b353e4be9374

SHA256
856c7a0b36c7e5de6345bfb11bca4980969b52def6fdf0f6d2831554a55958c4

SHA512
2962da55d13626e622b032b8bcc562380993ce14579961854cdd0d93ee24a1fb8d88df3678c5fdfe521cb072cfe0ff300c35fac9bb7d437abc32e079d5f2f5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc50dbec52a51025cd3ab88d779f68e7

SHA1
b695c86f20b1ec5540038887d0c224701176166d

SHA256
59c97df23289609ea2faefe959622bb1e22f8f2585381eb5f019dabf60895de5

SHA512
2f62385b15f5336cb43ae6cf0b0fbedbdffa7a53eabf5c940faf3f51ba27ff88751e00d1e6667107802c06ad7558edcc81d5e2ec9bc282065f852c5112f074e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
225b43192e89a668a7c74b2659bd6b48

SHA1
b08f1694d57ffec490522c74e9a70658903afeff

SHA256
23e78225a9bd13296629516bbf008eb0ec32cff2cc23b160c1cd141d6181006b

SHA512
6f82b1066072084fc028f6c9255d0750eb9ad43f69736a5fdb52c22c098e00d17503f6f80c9558b529e35d4a7183c84020e27d6e3bb4b06449dd8cb1cf6fbce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2dee15d5c70085dd0586e1348a83593f

SHA1
6ee4a3a33eb11820cfb3495630cc82788ea353f6

SHA256
6916210d4d71a2870d58166ced76307fa54a828af08faec0895f89e1d417aace

SHA512
0812858a93df92ed236d3d81b7459f3a2e1efcd31d5fe297ebc1df9bdd120052a420043e248384f50532a61943556e1cc8c0649c04bb06280db7ba594898824d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b9da.TMP

Filesize
704B

MD5
a21271d766ddf347749d0d7a1e654e14

SHA1
7e576ce667a8394f0f488327b265c8d5b462aa66

SHA256
9c88651721a9b74292ed6a46044620b872877e8b74c2920d92a49c680ec1ca92

SHA512
98d3b210a5894ce07a5a94c2beeb3788937289dcfc6a7372f0c826c0426ef2ad61b466d396d2deb9df38955c6aa5842f57179a83c17457dc910aa46ca9402b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ad548c7d29728526fb8f64b99e7b6c1

SHA1
4319be6d43d67130543cb28271da66d097df0108

SHA256
5e1507b3f6aa14738240ce5f46dc82a3f2715f904d13d21e6af02461d2f3f466

SHA512
da331bb0f769a9fe714bcd17672fbc023d7ad122c72999bb231ddd130813783a0a13060030cbae691d066a80220fc13cdb23dc96b057e5fd72cf37569a97a851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11748688b3d0a8593b8ee42efcad7ad0

SHA1
e33f8b2183bfa0e0e2fe4cf3b4faf02871ab3739

SHA256
b42788964dc11aa3e7f3a21bb222c99b2c124eb7f76aee6c7b444113c477e0b1

SHA512
5966daf498d0b7769ee0ac63a24f97c86aff589acb1d9ef18318457945c80761fee1d32e288002b267dcfdf7e17d2c8b4c069dae646360e24292f77c97fe22d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d12e797f18cb79137ad12b5e5139e1b8

SHA1
f15fb437b1be86b714e278ce927b315fa0e16ea3

SHA256
afb0f4a0229174f8118ab512b569fdb9eb3ebb0389cb11c9f4a0a2aa88ec258b

SHA512
f6e8f99bcd0ecff7683c8e56fa2ffa3fdff16d6c17a2066b36bc3d78e2838130b5b23059a239b29a7ebdd0b5ca36b3f9cf388945bf1aad50a3f91cb8091223cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2bf8b49ae726b6251ed4b98c8bde132e

SHA1
5e5b4f295fec6133c97b3a2b9b313e1504177e6b

SHA256
39e0a94897e8550f2f35ea74bf31a0c49173ce6586a1a89465e771302714e83b

SHA512
0d1d7752934de65768c01269eee5b96cbb2aba4a56a750bf5df7da55f14784e0513d642aad8e01c2fc47cd7c106f86d6b277e8aee3744221e10468d38a9d8844

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
1.2MB

MD5
808ccfd7a5f1cce101cadd9324489194

SHA1
e79d0563c3eb681e9bf9a2826aedd1f02c7fd84d

SHA256
c54b13241188fcbbb3a6e488d1b3e71be0f07395aea86be14d1e40bbd059297b

SHA512
2b766add2f5bfd21b37033b9d09e2914f5d06f25c6193ea22df19104862d9d034f152f561cdc43974594f5ed8bc78d95bba8a8e919c4f51bf9e2f4d7c3277ea1

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
c6bdbc9d86009ccf7e8de878c9603213

SHA1
2a4b8716f978f2d107bcd8294b486a5ee45afe6e

SHA256
36a067fdfcee95eb270f0b72e3b9e40d52c907d749fb9a8490d82f8ee56b29eb

SHA512
c42a52cd8837e2533b3d5ec97639f0c94287e3d7a6c73635c21df50eba8483b60df15bf262a308836875cd9afed504e7f98a2f6b254e4181fe548b1853d42256

Download Submit
C:\Users\Admin\Downloads\NjRat.0.7D-main.zip

Filesize
48.8MB

MD5
80d3d5163cafe75e0f2d1666a4c65414

SHA1
b94d1e8abcf337c888f403e4e7563c896fa7d51c

SHA256
d96bb6e66aef5a2901a0bfb80df3382d79cdcf60c9916badf27b456244bc6929

SHA512
d606abeacdb158dfdfabd89d7e3c12800704faa499821d01494899d5c36d93d2cc540d8747633535e148abffba4ac8c1fb3016fc03535c3d75cf74edd34daae3

Download Submit
C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\b3 hacked client mc.exe

Filesize
93KB

MD5
b133b002ddac1664f729ff3b2cdc467b

SHA1
f39b31c3684ec3cb60783ec2637a387ce9a3c70a

SHA256
a9953865115bd466976de2e80cfa38b7648c82b67b5f6068002358ebb05a9e35

SHA512
bf10ced4105d965081f50204adf609dbb7630db2836f80f88f92501221bd9d5858d67111e844f6437a07a084d00701891dfabf4bf2c4e2d9c602bb133efd220c

Download Submit
C:\Users\Admin\Downloads\Njrat.0.7D.Green.Edition.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit