Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-10-2024 08:58

General

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed nigerian

C2

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

0836ad3f4f2a3225437e173723805851

Attributes
  • reg_key

    0836ad3f4f2a3225437e173723805851

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://njrat download
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb603b3cb8,0x7ffb603b3cc8,0x7ffb603b3cd8
      2⤵
        PID:4940
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
        2⤵
          PID:1572
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4904
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
          2⤵
            PID:3976
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
            2⤵
              PID:2756
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
              2⤵
                PID:2760
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
                2⤵
                  PID:884
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                  2⤵
                    PID:4572
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                    2⤵
                      PID:4296
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4976
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
                      2⤵
                        PID:2260
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                        2⤵
                          PID:3308
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2284
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
                          2⤵
                            PID:3980
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
                            2⤵
                              PID:3464
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                              2⤵
                                PID:3276
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
                                2⤵
                                  PID:2760
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
                                  2⤵
                                    PID:2336
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                                    2⤵
                                      PID:2756
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
                                      2⤵
                                        PID:1976
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
                                        2⤵
                                        • NTFS ADS
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3960
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13241032332688265399,3710792460288501912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3020 /prefetch:2
                                        2⤵
                                          PID:4304
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:4036
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4620
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:2780
                                            • C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe
                                              "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"
                                              1⤵
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • NTFS ADS
                                              • Suspicious behavior: GetForegroundWindowSpam
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4832
                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5008
                                            • C:\Windows\system32\AUDIODG.EXE
                                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D4
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3060
                                            • C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe
                                              "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: GetForegroundWindowSpam
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              PID:3172
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe" "Server.exe" ENABLE
                                                2⤵
                                                • Modifies Windows Firewall
                                                • Event Triggered Execution: Netsh Helper DLL
                                                • System Location Discovery: System Language Discovery
                                                PID:1608
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall delete allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"
                                                2⤵
                                                • Modifies Windows Firewall
                                                • Event Triggered Execution: Netsh Helper DLL
                                                • System Location Discovery: System Language Discovery
                                                PID:4004
                                              • C:\Windows\SysWOW64\netsh.exe
                                                netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe" "Server.exe" ENABLE
                                                2⤵
                                                • Modifies Windows Firewall
                                                • Event Triggered Execution: Netsh Helper DLL
                                                • System Location Discovery: System Language Discovery
                                                PID:1376
                                              • C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.bat
                                                "C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.bat"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2576

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0facf3ba-d687-481c-97a3-1d0893880e2b.tmp

                                              Filesize

                                              10KB

                                              MD5

                                              7e21e86ad00ca799ef7f046333f26f1f

                                              SHA1

                                              db1b6848bc5e9a9ad3324b2f55e43c7cf41ff6ed

                                              SHA256

                                              e0c014a75d3c2f4de49f888b99e2c662f3b0d4f42a3902db1324867194cc3344

                                              SHA512

                                              362dfbcdaa0bbb09ccdc3f4301b70d8433d88aa256d5fb4b07944a3907aef0f9e254737e32dac0440bd0cfd70ea38334eb40a55c5b6e962d79449df2feb4919b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              554d6d27186fa7d6762d95dde7a17584

                                              SHA1

                                              93ea7b20b8fae384cf0be0d65e4295097112fdca

                                              SHA256

                                              2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

                                              SHA512

                                              57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              a28bb0d36049e72d00393056dce10a26

                                              SHA1

                                              c753387b64cc15c0efc80084da393acdb4fc01d0

                                              SHA256

                                              684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

                                              SHA512

                                              20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2e58adaa-fdb3-4e78-aced-57775e02d9bd.tmp

                                              Filesize

                                              934B

                                              MD5

                                              aa4646192e9384b80a0eca399ef5e8de

                                              SHA1

                                              59e8d5c260f77415dfc2a97e9a4654133f8d4c3b

                                              SHA256

                                              2a6be8f750a33a3915771a14ca92f502a153efc36bfca66564c9b9d239156026

                                              SHA512

                                              27bd7ad6b21ccd58062ccf22d34a9ae9f8dd96b3f17948855035b09c93baca8c99c8b7feacbdbc2e4285f5fd0f537e522df80fd02227e5c65589a6fbc7a052b6

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              3KB

                                              MD5

                                              32c620825be2b5130879a67e5f2b0ff2

                                              SHA1

                                              2fa31fe84087d88614bf6f4c5dc33338673e9351

                                              SHA256

                                              bd934f943bfd43e0f438c66fa70cfaf3d119831686c83da2275836c5dfd8cbf2

                                              SHA512

                                              5bbb6f1e1cf68e0634211a489aa1a48275c647a069d3174a3df07cc090edaf6f22928d0052557370fea1c15672d533b973ed5feda1af8b89bc4dd729e036610f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              bc5c0d398a0511b7a42c14824c8636f0

                                              SHA1

                                              572003a065cfbf53840be836086c758a09adb093

                                              SHA256

                                              967f74bc2ff7b2c70c81b5af916a4756d93d3fb1463fbfbc1cdba2737bbff28f

                                              SHA512

                                              f47d78673779957d6edc078f96d4973919f567062ac9594d85986529faf9b04e56486be3122d15b01ef174e99fefc7d270cc0619dbeb1c5bdf9a86a0ac98b62e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              7dc69ca213a9e2cf2e03641fa6c4cdfc

                                              SHA1

                                              8657c6f0f95da493c22efce35c450322b783a470

                                              SHA256

                                              14d68ed0f9c1ad01004508cf86a167a6534b206b34f47a6b276147cb0ebd9273

                                              SHA512

                                              90721278b6b9b607e14d81f0f913a6a36a982d7435f4bec1acefd8b215565fc4d00d2c6595d7071c556b1d705dfea52fae6c3cbcc2f6c0329618cb5113cc920d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              ed19fdac807463b65cac6a54b2e21586

                                              SHA1

                                              7fc2008e4b7bc62a35aeafdc9c820db255e70109

                                              SHA256

                                              279f544c9294db349ffd93186488122cde94ad6577477a18014c6d433c6e5eba

                                              SHA512

                                              32a65b337782b80e97b4911eb48584561fa80654dfd7c17fcd06b2244c001e72922ae5df32d28c02f7328961bea296b3b436a06b93dba631fb3f42bbea376b3a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              3a09d43e1250807709ebb2e2a2e05cd5

                                              SHA1

                                              a92f937c18d6bff0bf3d6759b7c771f4a83c4044

                                              SHA256

                                              d8137eb8bff1c87f4327762fa1b62d176ca8e61b94420923b4d8f67b9722230c

                                              SHA512

                                              9633e65ee19e6ce62182adf1548c2ac0a8ffced9c64f2ae6e760292423289f967d5b84dae4ac2e18fba7f7bdcef4c6da65566ef2cbc1c5b54fcd516096d07795

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f2dc.TMP

                                              Filesize

                                              538B

                                              MD5

                                              1d8ac4a6cd290331d97ea20ec44cf83e

                                              SHA1

                                              f1d636e4b4a2746c6dca033f4203d654e684bfdc

                                              SHA256

                                              a0b6d19ab502b9c57f3f16ba743a9ee117ac10ae4a11f54cbbd33b37da817e34

                                              SHA512

                                              56ea4407906da3879868b09ef5546f0600459d3b6e6d1750386623bcf0a87d97e0c28c53cecba6ba29c1a5228a5de461a0d379cb4d640bff12b7e2989346cd3d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              52ed5fe92793a1ba46a4a5a868e18427

                                              SHA1

                                              403e2a4f258d2d6b511a16b11d91bec9d1ad989b

                                              SHA256

                                              7d65bb50932e712abc58f1ef8896637cc84ff527b72a29b439c57d7b862e84eb

                                              SHA512

                                              19d6d98cf3f87e089e40f1c91cc2d9aeb3673f53277349b29e5049ab40d263d2d5186df650d7b23d3c6670cb04349aca970e72eb4fcdec0317ba096cb499dbae

                                            • C:\Users\Admin\AppData\Local\Temp\stub.il

                                              Filesize

                                              1.2MB

                                              MD5

                                              df592e3010f358e6567d6a8cb670c0fc

                                              SHA1

                                              d7418e80c9cf525746b36257bbca4fe9bb1c5e26

                                              SHA256

                                              2abe44f0da7ba97eb8d4fa5f984671798c37b165d10cd99865fa80562aabe5e8

                                              SHA512

                                              d8d5c7e839d8a64e82094255d06bd735cccf45819f942d0a490d47c476f223da01d63c9bb4ada2a8cb73c98c2e9733e22e29b1addf78a76c1cf34f1683714041

                                            • C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.bat

                                              Filesize

                                              100KB

                                              MD5

                                              6032ce8ceea46af873b78c1f323547da

                                              SHA1

                                              8c5bd4a70e0f21aeba41c07976ace2919b64fd80

                                              SHA256

                                              19dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7

                                              SHA512

                                              3ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe

                                            • C:\Users\Admin\Downloads\NjRat.0.7D-main.zip

                                              Filesize

                                              48.8MB

                                              MD5

                                              80d3d5163cafe75e0f2d1666a4c65414

                                              SHA1

                                              b94d1e8abcf337c888f403e4e7563c896fa7d51c

                                              SHA256

                                              d96bb6e66aef5a2901a0bfb80df3382d79cdcf60c9916badf27b456244bc6929

                                              SHA512

                                              d606abeacdb158dfdfabd89d7e3c12800704faa499821d01494899d5c36d93d2cc540d8747633535e148abffba4ac8c1fb3016fc03535c3d75cf74edd34daae3

                                            • C:\Users\Admin\Downloads\NjRat.0.7D-main.zip:Zone.Identifier

                                              Filesize

                                              26B

                                              MD5

                                              fbccf14d504b7b2dbcb5a5bda75bd93b

                                              SHA1

                                              d59fc84cdd5217c6cf74785703655f78da6b582b

                                              SHA256

                                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                              SHA512

                                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                            • C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe

                                              Filesize

                                              93KB

                                              MD5

                                              fa3ea0aa07413e8eaaa8710f01793f4c

                                              SHA1

                                              12b34aaa807a1a4df1c40a8bf92406f92ba544af

                                              SHA256

                                              55036215e4eafb301092afb13bf50a9cfff4715dcb31ab392760d31b8f94cf84

                                              SHA512

                                              1f89a482efadeb219af32e74a72334372436cb1d2cb4e56e5a00b7d8053453e16db557483b26add98fa6be7bf9fdf65dc558b8eac9ce669f325cbd5f1e3ed9c3

                                            • memory/2576-410-0x0000000000120000-0x0000000000140000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/2576-411-0x0000000004B40000-0x0000000004BDC000-memory.dmp

                                              Filesize

                                              624KB

                                            • memory/2576-412-0x0000000005190000-0x0000000005736000-memory.dmp

                                              Filesize

                                              5.6MB

                                            • memory/2576-413-0x0000000004BE0000-0x0000000004C72000-memory.dmp

                                              Filesize

                                              584KB

                                            • memory/2576-414-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2576-415-0x0000000004C80000-0x0000000004CD6000-memory.dmp

                                              Filesize

                                              344KB