njrat | hxxp://k

Analysis

max time kernel
988s
max time network
449s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://k

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

90cdc4299e3838b5249c33e1c7a2dd25

Attributes

reg_key
90cdc4299e3838b5249c33e1c7a2dd25
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4596	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2092	Server.exe
3444	tmp8E62.tmp.exe
1120	tmpDA6F.tmp.bat

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat Lime Edition 0.8.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Danger Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E62.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA6F.tmp.bat

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Danger Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\1	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Danger Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	NjRat 0.7D Danger Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Danger Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Danger Edition.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NjRat.0.7D-main.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\vu.exe\:Zone.Identifier:$DATA	NjRat 0.7D Danger Edition.exe
File created	C:\Users\Admin\AppData\Local\Temp\Andex.bat\:Zone.Identifier:$DATA	NjRat 0.7D Danger Edition.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
2500	msedge.exe
2500	msedge.exe
5040	msedge.exe
5040	msedge.exe
4380	identity_helper.exe
4380	identity_helper.exe
2920	msedge.exe
2920	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe
892	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2092	Server.exe
1208	NjRat 0.7D Danger Edition.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1284	AUDIODG.EXE
Token: SeDebugPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe
Token: SeIncBasePriorityPrivilege	2092	Server.exe
Token: 33	2092	Server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2348	NjRat Lime Edition 0.8.0.exe
2348	NjRat Lime Edition 0.8.0.exe
2348	NjRat Lime Edition 0.8.0.exe
2348	NjRat Lime Edition 0.8.0.exe
1208	NjRat 0.7D Danger Edition.exe
1208	NjRat 0.7D Danger Edition.exe
1208	NjRat 0.7D Danger Edition.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	NjRat 0.7D Danger Edition.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 5056	2500	msedge.exe	77
PID 2500 wrote to memory of 5056	2500	msedge.exe	77
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 1700	2500	msedge.exe	78
PID 2500 wrote to memory of 3408	2500	msedge.exe	79
PID 2500 wrote to memory of 3408	2500	msedge.exe	79
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80
PID 2500 wrote to memory of 3720	2500	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://k
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff858863cb8,0x7ff858863cc8,0x7ff858863cd8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6532 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12954756157134393562,8706821846487122300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4136

C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\njRAT Lime Edition\NjRat Lime Edition 0.8.0.exe
"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\njRAT Lime Edition\NjRat Lime Edition 0.8.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:2348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000

C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe
"C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2092
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\tmp8E62.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8E62.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\tmpDA6F.tmp.bat
  "C:\Users\Admin\AppData\Local\Temp\tmpDA6F.tmp.bat"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1bb09c6378516a70ce7fe01a1a9eb7ce

SHA1
07c71e791177d9862b91e73aa12e04a3fc2772c7

SHA256
a1b53c8cf0e42ca882bc1b53dd0709a663a1dc9dc2c072a9a16cd965f30a501e

SHA512
e95a7126ffff0534b482437bb8fff96573b286597181d54627add33e940400375ca9420d7d0fb1243ec526e144c0b8aa3fde9b38b0b4b4c3d8e0a1b31b9c2f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2a87d4a0e89b1ddb43c639f2588aa215

SHA1
a269097185bd244730345c9f2ad5efcd23b8cbdf

SHA256
fa84c50808214af4e41416d9f7d0a0f55a8a98ba951f8aeadaaa0f26b7d0b5e8

SHA512
7bbdfdc2aa7c55b31471abe49dcf2c7f1a85210709d5f993dd24f7b183e3359d29f6776082b14624d29fd198509325bfa93744025ca6f8d6279a7e63b4b2b363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d49491a250419fb15d285788669557dc

SHA1
cfd421a61707c2896c40927a1c86d5f11cd6a6a8

SHA256
d254a97d9a8ecc4ec9c1065bd60f32cb2bbceaa8d1cde4732ad15f9e359acaf3

SHA512
2c7a8d1d43ea2d6be9b184824ad9645570100d4c5eec3cd11b58eef136a6ba522bf541e08693cebaaecd6b3fbc181cea61f2ac9799d6888f99305182ffe15771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2efdb3a267a40eba5235c1d43dc90508

SHA1
dd60bcbb5d8df6d45cfb47112c302afc78973364

SHA256
0dc3cd0a3bf1531dd305e072576a8be55fd23e398010e09a668addec5f0ba873

SHA512
2366b9af1549e40a5ba51957c4619c058d438429a58ddd175750effb93c06fdfd1ee2e582b1e5d04ec0d93f9b29349a442272d15af4456f0898846c26ded0fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a95d835a6c7c275194fc8ed542968b6

SHA1
104e05bfcbc45d628d03294e7af92d9eeae96f6b

SHA256
d6d4f4d472b8ec02594a05b428affd1064f96c29dd1a1a833e8d377d191a242c

SHA512
9c28f190f52a7022c13fd85245e1b5c10e2bdda0b0e167b5d9828a8227313d429c0d15da07c83843b1edba52fbea7a1849f97d27d89faf45939f6e6a3f0f0495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8be85b09581f708a33cac2e0a0afa001

SHA1
bc503b189dd7d35a2716bd757052d9c42260fc2b

SHA256
327a934700072ea822275ccd8adbcc0b73df308ee81c189d5a98d133530bcd7c

SHA512
1a338e7cdf8db5f451833c048abc5da4a3acefd0529e8ed83327e69137c5218107b93c11e9b2614aed6cf071aa43e3ac1427c4e5f767339e32aa59e0cc176427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38f45625808c79c8fd9a4b69b7147797

SHA1
e4fc3c54b3353d505d4ae6d575c1d2e728010a33

SHA256
1e56cd2c66ac8c97f92c4a0ad8de01fdc11a93b25534c7a0a58492c0e7e05c69

SHA512
2f72703fe126413f2f5349cc2c197a08c5a0085d6cda5b59c98f208364d4b80df9eec5be8f364334a8ebc388425d2804ce9d4a2ecc9decaeb9190be17c4139cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4385b43ad790a1c9b8d15c9d5427a78e

SHA1
acf3fc207df428fd25a2952548d87beb488905f7

SHA256
d28228118da3eecdc03eab1e395fc9f5ff94c087aae2b08c92d90e1a2c765922

SHA512
6756b63f6367df55ed48265b4ae1c2355ae3c2e26188fe30bd89f4707636bb928611087a4c31ec886643dac9a689ba25cbfbf33a70934fb0757cd97deaa242bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05f892f8b6c2c1e96a019cc110fd215f

SHA1
1d54e0297c77856788b996f3263e9699e9ee589d

SHA256
366499443eb1931a8e61c82203640c6bf294ae5bdaa1ef9e0b3c658eefc25948

SHA512
8b4cdbd36453c3a4037477ed01647fe8070b7f89352daf24252f71b9deefccdfb2670ea7296cf5fd94427e25fbd6cf80e63c6991717c3727d5fcb3571d7f8e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0629a3080a33f7c3489aa5be94de72ca

SHA1
6b21a192ce21fc0bd4aa563ccc7c4caf1714be8e

SHA256
eaf29ed8a32723ba3bb0fbaaf8e3d60ebb6b026b53f919fc1fda22bbb94877a1

SHA512
a04d5e84be2f1e9e541e060b3e3caeb006525c00453ae1e986ff745980ea36ccf73363b681a1642ac789b16676f84b1b83d8890dca26777bb0bde90ddc0578eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583285.TMP

Filesize
871B

MD5
ed470f714aa54cdb7db42f49a033fd68

SHA1
e1e884dd71993214fce7382a8c76415ec19e2cd9

SHA256
5b3f98eb6061dc061f7422fe50a0a4d119c20319d5ddf672f20e98e19c4494bb

SHA512
31e6ea7c339bf74241d6351c506c5838c9e65a1f3eea055ec03ee1ceeebff51537ad35a773b982f4b1e1b310608355036476c463758e5bd591042d8bb4057465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a507caab-4a12-4ac8-9248-ee5f7deeb107.tmp

Filesize
6KB

MD5
12511c86f40a9f214a10d22be0697f18

SHA1
f1b9537fd8efe7f150ec0f0c9680f61c119235fc

SHA256
a607d5758ba9f21d32abce52b418f0b3b616891101f1cab211ecafbc15dd7c13

SHA512
086276d4178a3752a2e0b5a0dcdd0e15ec1866fd451ab4c01d6c96ff19b7ac74c821c8fa3373fdd0987acb5ccc509ae344e060c19a9705a74bfa5e7ce399dece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c07f14e7857bef028265fd1df089b8b7

SHA1
1b46ea787d69a88df824b7f3a287fb9c791cf269

SHA256
bf5c413a1d68107785102c6c8c983b55be65c509592895ac4caea79b911829c1

SHA512
ec3c6b89aba7865fd75e3d7d57432abf9d287d686b65f7fa6dac175d3551f29e7ae947f814a36930b060710f5464dbd279b2cbdbe56d548e294299904345ca7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
070164d162224a8951370ba83145ccf4

SHA1
7b0e38a50d8b413fcd3039d22efe1e2f4019baba

SHA256
8371b32cdabd3768ac42cce2c0eeec820a6fc0a97fa216d11dbd29af878d7d55

SHA512
4aa68443dcdfea8f4bc772fff5415fb72a1fad239b333e544be9ecbb1a39e56bb40203acff4bd572290436337c179f85fd8afde7764bbea8170b019af3bec29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
faf3824643fac19b8a2fe2fa0592db17

SHA1
e210282cf7949e76fdc8483d55e9460afa4da416

SHA256
13cd604c6f5f12040589170d37654a12bbbbff1fcd256957aee413d56dfd6ca3

SHA512
c0d311cdcb2a05a33e1514ed38c7dd333f92ea82400b0f6c01bb2d21e7d246fec6a408ee1473c38574d744544db7bcb5185a676874a13615593dce3563b57012

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
1.2MB

MD5
becb6303daca0596aa6f1f7cf75d87cf

SHA1
52d6d8b1f85c5b26674309605938d998b8e98005

SHA256
7d7faffafbd91aa09bb2328badbd3f350841522678af0008740d2f5059ca5a8a

SHA512
c5ebc6fc57da45f14a269f82a53043c36437b8c74c286c8d6af19910f16ab761b50014fb58b3051981a3c91cb38d8215ddf1161de684d2c8aeb7ee8b6843a714

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E62.tmp.exe

Filesize
28KB

MD5
6c2210ba180f0e1b9d831c3c6c14c8b4

SHA1
00bebdf704f4cabf254583c6ad87c6e72872b61a

SHA256
501c36ac282029ccf7950a4957d4c10ea72fe18f0ad8d6daeabfe628fa4070a7

SHA512
26a63ad05199cf45acd7519fbc63945097b4c4a89bb2cdfa4f87ba004e1ce106220b0b99419e656de26d164265b3868a9ce541c71b05d4e4db1a9a1343130e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA6F.tmp.bat

Filesize
100KB

MD5
6032ce8ceea46af873b78c1f323547da

SHA1
8c5bd4a70e0f21aeba41c07976ace2919b64fd80

SHA256
19dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7

SHA512
3ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe

Download Submit
C:\Users\Admin\Downloads\NjRat.0.7D-main.zip

Filesize
48.8MB

MD5
80d3d5163cafe75e0f2d1666a4c65414

SHA1
b94d1e8abcf337c888f403e4e7563c896fa7d51c

SHA256
d96bb6e66aef5a2901a0bfb80df3382d79cdcf60c9916badf27b456244bc6929

SHA512
d606abeacdb158dfdfabd89d7e3c12800704faa499821d01494899d5c36d93d2cc540d8747633535e148abffba4ac8c1fb3016fc03535c3d75cf74edd34daae3

Download Submit
C:\Users\Admin\Downloads\NjRat.0.7D-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\NjRat.0.7D-main\NjRat.0.7D-main\NjRat 0.7D Danger Edition\Server.exe

Filesize
93KB

MD5
7417b8125c9a857f399a25ca8a6f0c48

SHA1
9bd2fac08a2b312113360e10c3fdb6b7450bb687

SHA256
3bbbe30707a268bde2c5df2b2167cf175aba36a628416c0c02e86cab7536490a

SHA512
ab4ca5364180bdf911c9d4e5bd2e34f9110cd335f687b249e5c4776d4ef2f6946a3cc2821b572ba750f2d07b571f2357314d974c4c7c00864adfe39918d7f7df

Download Submit
memory/1120-637-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/3444-623-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/3444-624-0x0000000005ED0000-0x0000000006476000-memory.dmp

Filesize
5.6MB

Download
memory/3444-622-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/3444-625-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/3444-626-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3444-627-0x0000000005BB0000-0x0000000005C06000-memory.dmp

Filesize
344KB

Download