njrat | a615daba183741c31ef4bf96c1f1fd5783afac56fb3d61feda491288e7317a76

Analysis

max time kernel
576s
max time network
900s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-12-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mono Executor Final/Debug/FastColoredTextBox.dll
Size

323KB
MD5

8610f4d3cdc6cc50022feddced9fdaeb
SHA1

4b60b87fd696b02d7fce38325c7adfc9e806f650
SHA256

ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9
SHA512

693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09
SSDEEP

6144:0R0J4lx4/7BA4xvNdcwCOg04j0y5mwZkdmsqmLDi5eNH+Dl1SIP0:0R0J48lAovNd7CO34D4b4eNO

Score

10^/10

njrat xmrig hacked discovery evasion execution miner persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

127.0.0.1:5552

Mutex

165d6ed988ac1dbec1627a1ca9899d84

Attributes

reg_key
165d6ed988ac1dbec1627a1ca9899d84
splitter
|'|'|

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/4744-1192-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1196-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1197-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1195-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1193-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1198-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1199-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1200-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1201-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1980-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1981-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1983-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4744-1982-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4088	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2824	NjRat 0.7D Green Edition by im523.exe
4276	NjRat 0.7D Green Edition by im523.exe
4628	ffhzguglhicn.exe
2508	NjRat 0.7D Green Edition by im523.exe
4960	ffhzguglhicn.exe
936	Server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 5044	4628	ffhzguglhicn.exe	167
PID 4628 set thread context of 4744	4628	ffhzguglhicn.exe	168

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4744-1192-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1196-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1197-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1195-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1191-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1190-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1188-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1187-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1189-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1198-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1199-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1200-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1201-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1980-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1981-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1983-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4744-1982-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f71d2dd5-a64a-488f-8a31-cee11d12b4aa.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241225173429.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
968	sc.exe
3856	sc.exe
1744	sc.exe
6052	sc.exe
1056	sc.exe
880	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	2820	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Green Edition by im523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Green Edition by im523.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796216349332098"	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Green Edition by im523.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Green Edition by im523.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Green Edition by im523.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1900	msedge.exe
1900	msedge.exe
2612	msedge.exe
2612	msedge.exe
5564	identity_helper.exe
5564	identity_helper.exe
1772	msedge.exe
1772	msedge.exe
2824	NjRat 0.7D Green Edition by im523.exe
2824	NjRat 0.7D Green Edition by im523.exe
2824	NjRat 0.7D Green Edition by im523.exe
2824	NjRat 0.7D Green Edition by im523.exe
4628	ffhzguglhicn.exe
4628	ffhzguglhicn.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe
4744	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4072	NjRat 0.7D Green Edition by im523.exe
936	Server.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	firefox.exe
Token: SeDebugPrivilege	2408	firefox.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeRestorePrivilege	5848	7zG.exe
Token: 35	5848	7zG.exe
Token: SeSecurityPrivilege	5848	7zG.exe
Token: SeSecurityPrivilege	5848	7zG.exe
Token: SeLockMemoryPrivilege	4744	explorer.exe
Token: SeRestorePrivilege	4424	dw20.exe
Token: SeBackupPrivilege	4424	dw20.exe
Token: SeBackupPrivilege	4424	dw20.exe
Token: SeBackupPrivilege	4424	dw20.exe
Token: 33	2160	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2160	AUDIODG.EXE
Token: SeDebugPrivilege	936	Server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
5848	7zG.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
2408	firefox.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
2820	NjRat 0.7D Green Edition by im523.exe
4072	NjRat 0.7D Green Edition by im523.exe
4072	NjRat 0.7D Green Edition by im523.exe
4072	NjRat 0.7D Green Edition by im523.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2408	firefox.exe
5192	OpenWith.exe
4072	NjRat 0.7D Green Edition by im523.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 4276 wrote to memory of 2408	4276	firefox.exe	89
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 4940	2408	firefox.exe	90
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91
PID 2408 wrote to memory of 1232	2408	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Mono Executor Final\Debug\FastColoredTextBox.dll",#1
1⤵
PID:1836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61f0139-c2a5-4e3b-9f26-625ea2451840} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" gpu
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e5b7b95-d963-4e59-aeb7-755443177044} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" socket
    3⤵
    - Checks processor information in registry
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3244 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29c985dc-77c9-4578-9367-3ab1df52ecc3} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" tab
    3⤵
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1a0e64b-d201-408a-92d8-08b9a1943d0f} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" tab
    3⤵
    PID:1980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4632 -prefMapHandle 4628 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fe8df58-fa32-4fbe-8ab3-5c315a82dbe0} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" utility
    3⤵
    - Checks processor information in registry
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5256 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4d393ec-5ff4-4262-b4e0-6e9847789fee} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" tab
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64198b69-44c3-41f0-9913-0518a96cd658} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" tab
    3⤵
    PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {677dee5d-4aac-4bde-b359-251b7ea3795f} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" tab
    3⤵
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 6 -isForBrowser -prefsHandle 5032 -prefMapHandle 6132 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91202027-f758-4874-b1f7-ee8ef739bdb7} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" tab
    3⤵
    PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff85c5ccc40,0x7ff85c5ccc4c,0x7ff85c5ccc58
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5372,i,12284353273685755376,12475799958056407153,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3256

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff85b2646f8,0x7ff85b264708,0x7ff85b264718
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x138,0x134,0x154,0x158,0x7ff660325460,0x7ff660325470,0x7ff660325480
    3⤵
    PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2936 /prefetch:2
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,4218292099311324312,4108731724601856503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7256 /prefetch:8
  2⤵
  PID:5988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5588

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8950:110:7zEvent17356
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5848

C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2824
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "WAPQYYAB"
  2⤵
  - Launches sc.exe
  PID:1056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "WAPQYYAB" binpath= "C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:880
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "WAPQYYAB"
  2⤵
  - Launches sc.exe
  PID:3856

C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe"
1⤵
- Executes dropped EXE
PID:4276

C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe
C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4628
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5044
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744

C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe"
1⤵
- Executes dropped EXE
PID:2508
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:6052
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "WAPQYYAB"
  2⤵
  - Launches sc.exe
  PID:1744

C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe
C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x398
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Admin\AppData\Local\Temp\746f1480-eee4-433e-9714-990d829f1c0e_NjRat-0.7D-Green-Edition-by-im523-1-master.zip.c0e\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\AppData\Local\Temp\746f1480-eee4-433e-9714-990d829f1c0e_NjRat-0.7D-Green-Edition-by-im523-1-master.zip.c0e\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat 0.7D Green Edition by im523.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:2820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1464
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1468
  2⤵
  - Program crash
  PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2820 -ip 2820
1⤵
PID:2448

C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat 0.7D Green Edition by im523.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4072
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:700

C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe
"C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:936
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5aa783b543f677490876c977d03694c8

SHA1
e548e018d4b4b7c13dddf84f4ee236756c492dd2

SHA256
c78811ca4cabf0780b567661dfc5a5949bf5dab5bd604d42e8e58fd669ad4a82

SHA512
0d3b9c7844f1103808ee8c9cd8367d2433785ccc9862bb71ca1a451c7d405b0ff156880db7f46ae672ff41ff74a68582fb6ea57f9deaff2465c6b911ed819c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
eacaceb56b433db0d143181baff90889

SHA1
002f09ae0f8fdda888b0965aaae2bec5ea6403ff

SHA256
fc33fb2b72d0f93affb5bac20596eb565862e1bc349f50269aa1bf84f9698f58

SHA512
88b2b3d400d2df40848f1948006fd40bedec97c40b960799967110227844e9d3de95608b953a7f0c42b8cb36c9255e45067a3bab554fb77a89fec8c27c7ca677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d6ee91dbafcb7012a207939dc7186460

SHA1
0df7ead9f26122278fbeab153462801e405d06ba

SHA256
4869772ad7e9240391740cd3c6469f070429bde26d44e4df08edb3bd3d665422

SHA512
34ec73e199f0c3d699564477246db404fb87c6847c2b9b26926c41192e568895d418697bc6ce4e079f2b27483a94f1074ccd8c4a363c5b60fe5bd639885aaecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8dbc025266c25fdca4fddf8d775f8cba

SHA1
ba0d0544fee395a90a9160c20e2d61e86359ffee

SHA256
46f22b1974c09f243fc167cf0ebdbf1ac6a42af83f1a2a76fe0540c40a252c6f

SHA512
e5fd4999207286cad5fcb6b974e751c70ff7506d8bd01308313de07a8d0ab13c7ac7e1f94b3bd28f34157622bc8a39cfe03ad2af847aba6bcc2d13909a4a5953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5bbf97695bde687015f95efc6f4ca94e

SHA1
3ffaaae758c966a0c5cfb0d71e44bfb119d5b395

SHA256
5d2a86d466cf763512a69bf7fee9f149aba3d71c779ec5b7d9486889c1caa4dd

SHA512
bc5aa2b9a12f8dc012e6c5a24d32a796f3d8fee4b96c66f609e1d4b7176ab34f1d2a60ee83e7cab22bfbde597f4cf0228138892aef2dfbbe98cf21888fa282e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
dab87c15c52359009febd1d78cc89fb0

SHA1
cc044aed0627aeb0146d71f0804d4b3325912a16

SHA256
22ed9cff6ccf123c37faddc494365f94ce9779a59238dfb1f1e1472df6610dc9

SHA512
0a366f994f40dd7879ca5b90a0a25afcac693d5ff98e25ca5a6fcdf3b270489df8d5cb985d7f462ce692ffa5ff603fa6c76cb6ec95cb9386e84d2909e7a495cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e78e09da0076d5abd3ee71ad791d7910

SHA1
ec99841c6827ee88abe60f65644855938407bde1

SHA256
044e3ca1463a04d7135d753870066876ae73bb0bbed8180cab34a12f77d68202

SHA512
84d01f8cf1850eb254a28fe9f5b9f5f95dbeebbf8d81bb60e5f7b250360b0187a1ce8c5dc64ff71f14a5f21aabdd0b6b8b4378e9c49e2f90e02c65405461b18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
dd955a5cec6db48ceece865d4865d3fe

SHA1
c2c7a72f73293131c1ceabfc4e04a3898bc4af04

SHA256
d7ec486e1ad6eab289fb0c5c9e24e9f423a14ca322b994adfdcb1fb371f20ba7

SHA512
35f4b7d46fe0fa0f29d3c9d2f2bcc200ca2bd69cd8c1930cc167943c47407169d5140811923bd77ee29ca20004f9955608a45b8ce2839bb16db7eb7597b920e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
c4425e763c45aba138c84b019a2f84d5

SHA1
a88a33aca8833baee363af50a64001115d5a66a8

SHA256
06acae790a89182efbacefbddc322efb1b872e51d9db93e307bb7eef0ea14a4d

SHA512
4c70d2ddcae7f9db3b29445b84aeb76baee3561e0b6b242da35cc5eb44f09b215aa5815eb853cb8739edda427b325cc54db0522383a1f60e86a5d2e49a44cb6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
dc075e65f1405391e836dd94e290ed2f

SHA1
e0c312aa31251ba64f2f9f5047023158de376da6

SHA256
1653ac9e2b37ac4cbeb0374252aa4e85df225d7bcc6d23f6e978f1b68c6c16e1

SHA512
86463fcb1307dcee546a0065b078cb0f145b1e63e420b19ab097ef06b03f8870ca73cfe00253214b1645fd138a2a8662b766cc42cd193c60684ae9fdc73fffc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de0e1d3019517b3b005d7731bbb8a355

SHA1
ddf1f15c241f72585595cd30de12c4c3ce4e2f97

SHA256
4ceef5b8daa774c456edd70e46668746b8fa086bb9515ed5975e6737e40dc3f0

SHA512
84f7a069fd6f0713fdb9d35f17839b8755671047be477e49102f5777e8ebeeaa6421d3816727dd37f1241f4653c063fb0823ae7bab1d3001635c5075c2ba464d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
913cd25b0de81960e841c81a7bee8b19

SHA1
2c4bf2a4de37c06bea3e39898c9a98ee611b5455

SHA256
b01953744098bc035aee2a21976607df9352ca42abc3e01d769e2ceee1c9bd5f

SHA512
e5a879cdd1f83d6b6ee13117924522c967e2413c29722b5507b632514e28a0defbbcc942e7176f819e05df7bef37ca5133ba5efeb67a91c34b3736eec05ac8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
38KB

MD5
c7b82a286eac39164c0726b1749636f1

SHA1
dd949addbfa87f92c1692744b44441d60b52226d

SHA256
8bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0

SHA512
be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
37KB

MD5
56690d717897cfa9977a6d3e1e2c9979

SHA1
f46c07526baaf297c664edc59ed4993a6759a4a3

SHA256
7c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e

SHA512
782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
20KB

MD5
0b17fd0bdcec9ca5b4ed99ccf5747f50

SHA1
003930a2232e9e12d2ca83e83570e0ffd3b7c94e

SHA256
c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d

SHA512
49c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
26KB

MD5
73fc3bb55f1d713d2ee7dcbe4286c9e2

SHA1
b0042453afe2410b9439a5e7be24a64e09cf2efa

SHA256
60b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f

SHA512
d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
58KB

MD5
6c1e6f2d0367bebbd99c912e7304cc02

SHA1
698744e064572af2e974709e903c528649bbaf1d

SHA256
d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8

SHA512
ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
39KB

MD5
a2a3a58ca076236fbe0493808953292a

SHA1
b77b46e29456d5b2e67687038bd9d15714717cda

SHA256
36302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426

SHA512
94d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
105KB

MD5
b8b23ac46d525ba307835e6e99e7db78

SHA1
26935a49afb51e235375deb9b20ce2e23ca2134c

SHA256
6934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6

SHA512
205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
53KB

MD5
2ee3f4b4a3c22470b572f727aa087b7e

SHA1
6fe80bf7c2178bd2d17154d9ae117a556956c170

SHA256
53d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799

SHA512
b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
16KB

MD5
5615a54ce197eef0d5acc920e829f66f

SHA1
7497dded1782987092e50cada10204af8b3b5869

SHA256
b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26

SHA512
216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
31dbdecb2c9568b6b6d59ede81e8d275

SHA1
05dee5442dd1f13e4276f38cdc219e462207526a

SHA256
b6ebde4a8e557c7c7226db4b8fac7938a3e4ab28ef12f3899dc5c82a5ec8ec61

SHA512
e84e4d18bb18028bafc879a37bbb23b5d3c09d28ec4d1d93e197a049cbf2163f892fde8def2cfec970c3436d1ad828ab08c1f4b7ae454db6638c2b2b8e58df5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a4d5f1d408d42f62f0c854b5910dc458

SHA1
f012d0825fb2e6b8ab6ce57242467b170e24366c

SHA256
634763311a63554d368d8a7c258e77159b8bb767f70cffc3943be507493fad38

SHA512
4c91b0f57dc8779aa1dfd3685c04d135b311f36036650454c28c2bb9408e11df4068640179a6080e406a6043648605145f2c435c8c920833717fb3b984f1e5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e2c0d6a2e9a7d8c7ab22e8e84475f577

SHA1
04646c3da7565447b7b47c096991be9f66ad7665

SHA256
97b857cd9eb3b716cbe12020a6739755f07ed19616f227e5cdb2beb59f45b751

SHA512
cbc46d246652169ca04732da7d56e2bfd917bcbe0cc06d9b91e98164219308daf24439279f68f4bea9f7557c8d5b3fe485d37adead7e1cd4f8ab733e238a809d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
385fc15f5465c212039eb8c637409791

SHA1
de5f2d1d43adbfb1f7d3dcc46a5848ae64b7542d

SHA256
94476874debdc2c3384c61cb0c23e24140f5af9bee1844b49a5dd6508d791ff2

SHA512
45c0d05011e75e5cea7781164e43aa9a8274c02044dd8442f337e7d6d9b1cd2c57c68fdb81669cba4274b47e70108a3e821f4bb338087dc69065be034f782000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
846a5d1e47eb6b49afb6dd70722b91f2

SHA1
f80df71a7f9947891064ae9cac5d1c33552b8d89

SHA256
9d09153610da638f62c15e087c387eeb40fabbd47c4456315acac3935461d4f5

SHA512
e28d12191de31389a03f74f14783ad94d0ec18e105b6c7b78ce223606857e7d480d824510a4eef5781390fc769b3e33831b460a7e696c9b2829b45e4c32c7cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ba297f7ee474676a94a940b43c7a1603

SHA1
d1349a16314fecf8abc749198eb4f35300d20fc6

SHA256
e299d4242bfd73e9b9676ff973f94d95ca0b48fe1445c3341d4484e53c2fc20f

SHA512
0c792948910f937feda180bf8e2b7976a15e957a9dc9b2fc528a2abee8ed3f7b094f5b2f8f8acdc3ee2f2321b2e8dc3d7f00dd1302cb384d440a373b8d332482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ccd65adcba74186449d743c34811bec4

SHA1
eb9913cf94c4420e0494f78169178c2d67b4ea37

SHA256
7fcc9db7650e7bb17e65182e37d0035ceee5b68983377ce70a6b38b79e92512a

SHA512
84f088ef444a7158354be581c68dfd2d64852f6562d66e2bcd30b3305a41cf4803b8abf291a42ed5ec2cb57d65b0c50319149e3e2807f0b45e86cb8ba8602fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
c607889173858d1e692db27a920a23f9

SHA1
7284605275e7dd238808bd5a2864a6693a3911e4

SHA256
5a9794621a86be0dcff4eb4d730708b0cf1bee5448c96362e21c90befa8fcb5a

SHA512
80334ab42614a2b52d55915c2700488f88b614905f804d96e23931454042ceb0f0c5c0f9dc3c2346fed074645b471783a7e33b5c81c558c2bbc09530bb56ba61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe593714.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
59816ba0183bc81c6c304d684a66f103

SHA1
85af66f5ab562e0396b887f588a4344a3f93331c

SHA256
0fd1d2df12aa22c01b6885b26f8e4bc927844179e925962d6dcd449d50728bbd

SHA512
1d1b5aff95cbff57b3dd88d021cfeb402e6176727facd4365265d9b8a586800397e38387017d51243c7f6cfbf73ef263bbe9817e7b29e2841c90d22bbb27fea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
70e12dc4a198fef8353de7b759627d2e

SHA1
4f468b52607cd0ec50ffe365f651b3d2e631a0bf

SHA256
23b75c740868f25e27be3b9c93daca94eed7a2902bb3db508d84646540eac4f2

SHA512
6f707dac00585ca129dd50b473583bf087ef1a62790533abcc01d70cb1b6929339050a71d657ca9cd9bcf52ae2a120a3e87331badc4f52fe1588c32177cc8b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5fc7fd3d2ff4bb5d037f994c7be0170e

SHA1
2ed2f739e6eb30bc53d0f0f7e8bdae5b8f30101f

SHA256
a3a52760c6b4c675750b537e4d15cb90e0c66cc0e464b7f35e3018a78fce103e

SHA512
290b0a4294373fd3700ab35f04c8991716b12f91aedbc3322b949d41fe85adfd8d44631df1ea9128804c266ff463a1f5e4ccec9d2e633a8240b2aab4813e16c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b39d7837fca339e4c12c8542e642112c

SHA1
edb50d56848f47f50001f0ee5a370541be5976af

SHA256
e19b9d3cbfad60b3504a2ca821d6ad2968784f713863ddf1e264c6df48fdde4d

SHA512
9c29b22a1a395646914b3bf3419bedb5a83fca225c51f5682487e6299832d4f2a29ace0e31b3c7903ab36ca1d3a22ac848499cccbb3eb758225b477354f2750a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a7d553428653abd09d70aaccee89f9a7

SHA1
61089fcc78c2971811ced367bef53efd1757aeed

SHA256
c0fc9cf7c7e2f45a2d2a5723cafd026fbab0b48765287dfa7905cc4dddeda978

SHA512
b3026aba36876e87574d0db12756a9ee633f0384ad18f6770c93268e2a5dbb8fb7824ae18e4ac10ef01010fcb40bce61e489427a79068c0d37ad3e2a2808972a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c65c2aa4168003c6acee3a58b0f62dba

SHA1
fd0f3a58cfbd6a091e9f9899613ef5c062be6c95

SHA256
7bc107cf45fddb77baaf59ee59ffa6ea14f3d5f1379b0bba762a402606fa6d76

SHA512
57b75115224072652a699c630e555539da381519e0170076d233f72ad87e1fcdee8a5e6767866b709613b9848499ef707c243b3c3359ce7eb1a59689e754be41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4265927f51dccd356f92f013332eeb32

SHA1
5992b642b58eee0a10399910af6566f67356b537

SHA256
f73fa171faa2a1a76777b929889fc2e6e736d703af52643995dc03159a7f31a9

SHA512
a0a77ad9cbd39de15d140e9c22ddd7013f1c4b11b2f5322c9690944f76b3e59c47b69d5432f7b59a023711c256575d3d14120dfdadc4d8d7814355cf363ddb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cc420cc45f686797b102b94f6bfda2ee

SHA1
2b0b5d4848cc346c341cbd51d5fc6ce8a08910e7

SHA256
23f845e57c6718a65f93b97ac9c425d7abaad84f75e77e662c4df298305b9a19

SHA512
2410ec9ef56e8ad547219c4ffde2d02ab4fe8ea668c51f6519e224805770375427a4db95eab5e5f062ebdf36323c5bf03d1633508776fa553da2e8c408846092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
832b664db8c95c83ff39b95fac93bb5b

SHA1
9d244b3081440efd5dcb15c341b2e790e5af359c

SHA256
d1d1d00928970105a43609aa8e2516b41e9473ac285cb591fecaf74b69213487

SHA512
0d46d177ca250277b341f04e3e4565b048069a14993bd1d89d38d03ac8cc4b499dcb2c181bd86f12f903054923a3bb47787d229ee975d900dfd6297db22c246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e6e720fe98329aaff96278864a95ad9

SHA1
2733b3b240bd37571c2ce52f74cfa148ec5e281e

SHA256
b295a19825b00a34c27adf9b0e44283d34493fd60a38ec5d2774cdfb962ec9b8

SHA512
55e63d39f02f1e474efd011327baa0bc8ead07c59961dc7c734da823a44cd36f82d7bdb0b9c3a5594bd0d6662bb23937b0327b08e8eb324eabbd1b8e7d292caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdaa5ae40152714434c5920ec3c6fcd8

SHA1
6129a625f9dcd877b9448849246857a6cc00619b

SHA256
df2ab44c997aca02f0784b3602ff71732c2e06df75d14b6b0f6dd00b42829732

SHA512
d869c6fea04d70e6ae996c12165ed3dba39f637ea1aba4bf9986a214e21773a71850d5559cb9c6d5acc64d2cb8825d00bede41cbf351e629db0217d72baee26f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cbba39a538d4227a39fc86635742395d

SHA1
94827ee543e06abd209f51af18260616187edcf6

SHA256
9a4fc3941a452c83447d9840d4fb58c9ea75557a4de824103fc84e1ab6c81d02

SHA512
8df591fdead6c877c11685d127cf2f768df7d5e4dfee39de786fa48f523b49dbcfc8c7e5b0e661e3a190c5a9b0d797e781af833656ec2393f077389ed0ecb20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b159409dff1eb3c5a21783d7ae332a2

SHA1
97a79fd9f607b482e9ed8016f2093bc3b9c23044

SHA256
04af9b7e90345d754912a50fc2b686e5169dbd5bfd135edf265e2e96a0734174

SHA512
0a668c717586895d10d1d493724a08a3e7069881c75753775f7e6281492f5ecbd4e3c7143bd64f414c09009b5ebf16b96b31821b30eda77f035b9070af851cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
620dab448a9b80ace2de12a25919b61b

SHA1
09fddada9e87c23b6f0935a9a75a337316ab5241

SHA256
91685401cb83802d6e1f970fbf512b13e260ec71bcb060dc2ab4b16cf1bf3c31

SHA512
26cb42162226e56e20db643254554dac6ef13940c65fff91bf49543b0efe7e98806f33b8cf87a91d016ee79d9f981e1fb238f0495aed728fc716f12375213676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c23dc9afa7e9577d77e5a70952d624e

SHA1
e888898cef0d77e91d5ba61f59896e98cadad35e

SHA256
524665898b330a81b866518d1f3bf69d2b4b84620a6f60357f445ef928147c55

SHA512
4b189aa9b30021ccacb06476c9d85679a62f3b124ab05fe03cf76d36b0b494b6e403337dace520103520ccb943a02ca264ff10032dd5a2324157bfeb39054950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5884bb.TMP

Filesize
1KB

MD5
cab5426b56494d7cc0ed3c178b9f8ad9

SHA1
53c05ab3ef21ca5043f3de4f43add196f030ed8c

SHA256
7b136229e1cd8a6104852b1baf85a52ab6e728506a25c31ce0c11e66815bb596

SHA512
79bd4ea761b18865141c91f1b7e0cdfb19decea90b7cacf0ec65879fd86f848239bcd7922a971875a4b2eeb309072b931ab4954c20b626f1a98f54f45b8ea202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e3d610d01869debfe74736ef542819e

SHA1
29aec6f7cea46f96928193b096399620265e1cef

SHA256
c315c9a2ee46fc203603ae8be6eea9d5c65c7041a4b59241e6bb3b4ae677aed2

SHA512
3c78b203d5f9e2d4c4b591cdc686d82776f5a830ae89f1e6d9d631b932794f71aea828a6f202d69701d2fd174d88da4499881c3d3b13a2a149481e7ac62f4c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f02ce214ee817f3d21c20619ca4abe81

SHA1
f501fa9fc1085fd2f397301853973fcc1ca5649d

SHA256
621e3f057f7718bd5dbb10b019b6549d68a847c0b344076e1f1a309f5f7c4a1d

SHA512
7d22a4dcd74107daca6272d1ffcef798414d0ed30196a4f6b028eabad474f9a2e3ed586600eeb9ee7a6046f4992a90864610692a65c6da3ad0ed421d16ff651f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f5570651189e20a4bb22825d4b48da2

SHA1
2200de884ee30a531d184b0cf3e0c3127dcffe4f

SHA256
14d120e86154cba1c0f05308e1434b39b129facbf83509a3bd4dd1518e00ced7

SHA512
f152bd0734349db6639d000e6d9e6e4ea16e0c5a7821fc397fa73bfbaa0ea13498e483d68d2e069ea49a5219a8711815c523d4d04b5053d38756e8b988eef028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
142cbaa285da6878ff4bfe20ee1c0cd5

SHA1
1aa1160167dd6685b3acd5c021ea38cb6f4cbac0

SHA256
a13fefb249946acfb8f2e072a1a15519adb986e802afe4450e7addf50ba83bda

SHA512
270456b62aec0511376a792437b53ec993e6d5832b485976e5738e1fdc7bbf82c4fbf6bd7c0642a702af55cb1a18733bc2a74334d40e531a016b5708ff8e5900

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
14336ad64bd6754d4b38ae6cab9ff0ef

SHA1
46004f8ea3b7f812cd747c5401109f2dea92497d

SHA256
613d50e40df79c031805293219027ff88691bdeb5049a2d13fa6a4baa0b80c76

SHA512
d36cbed1df6aeaba8b6b385430f9719a29d8dffc416550febd7a691c28e79f2001c39511828d6084d86c12e595bbd24e05eff26fb933843e8377f3b8b79fe32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
399KB

MD5
8c535860a3e930693bcd0b3208420543

SHA1
7c43801272b18ac958e6099567d37bd93150109b

SHA256
8babcbeaab9bb7b31e4c7bf6ac9493ee5ce154bfb46cbbec9c5b7744bc799b91

SHA512
1fbfea733375df9c4cf737544e73f3216608a5c50443f480ee24705f0a0e4f21cc88b8c1f00badd9716c67ebe31a351890b72eafde784cdd46e5a5533b3690ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
8d682fdfdd6827f8577453775ba8df3f

SHA1
1e2fbe859ee5aeecdf44c92170b8ba3206345a59

SHA256
cf7c3ef5c57bf0e8ae30aa29c5e557d1fb3818ff16f5d82e148cc3aeefda479c

SHA512
1d3ab3647ce932a47e664fca0fe75acbb5ae68c6011d545564cb7b2749e5539ebcc332b147ddb7b98b44c3ae5ce7039b18aabe8c12aec6be5a3d3ee77f9b93aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0f3ae5a08cb5b2ca5fd49f70f3cce986

SHA1
8b5bf4e11873445de8e829daa16ac8c4ea7b4da5

SHA256
b338799cd8beaae0e43556d28577953942dc7ca7cb0f293c1a8193270e85214f

SHA512
506794986a001814d384f3b3e3273f8aa2d62beedea7878bf86a876cd56be0264ab71de01687c3566b87c387ba9b2d0926eb564d1e25058608689d1f55baa4c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\AlternateServices.bin

Filesize
8KB

MD5
3c4f4d429a23fc90460837efe28be352

SHA1
06ed8e93a062d3348d8fa0d6e3a24dde5d120430

SHA256
d966d5ef780513ca2c3e2dd932fd2a0c1f85e2d9b9cd7d448f7e9aee772b0523

SHA512
39403dbea0f68a11a230ef8bc41e85c8e8bda5841bd5d0ae59329db91e187ae63874e5668c7d58fb2f62ad3deefa5beedcfbb7f6cbc15798b7aa8d5cb35b1a64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5a33aaf89d8a3d70f495045d468d98e1

SHA1
24de614f729a637ee61d9a78c51ac413ced4a0e3

SHA256
fbd2da0f2504432ba3cece5a4eadc72d7839d97d8af9d25b4d55131bcd5be03f

SHA512
6528cd1f2eb1829190ff7cd14b67628ad214363017678ce2f123812916075c03b35e9ce0193d618847ddb9852df2bf02f461dac4364bc0e6857bbbb727e86275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cda72ed0ab822968159d890a4e619d98

SHA1
f1a5c95a628c37644b31a4915868984948bb116c

SHA256
17505b62400afdaa8171b66f6afd872f74ecda7c96b4c6e7f3322ea32c5892d7

SHA512
a95851738678a1769540624b5da449351bf0bb38c37e1fd06a9dfc820be2a19c690a2bbeb8d49dfa0154924ad6680e951a04b76524025202fa02592cb4c54a75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2e406e89ad7a2a40c69c1c56c6d9ab8c

SHA1
14779b0f95bf93c8eb0e0404e6f56ccf53408d6b

SHA256
d55cfc1458c0b6cdfe0a569db18c611b408621de4b9a0866d355120ad88613c7

SHA512
1c1cf228993a0108ebe665d58f73d6b31e2941cab0d1f274677d80ce8076b810fc8533f89234a09629de25075a72e8ebcecb0af8dbc3cf9eac972ede7bae4c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\24747dcd-5cca-4da2-a1b2-a861146c5896

Filesize
982B

MD5
d4e01dc379146608938ae7a904264279

SHA1
bc53c47b4643efade5d2b94478a914325d6418c2

SHA256
2ed77a5e20772cee45ce0fcaf8af4b9db89c9cdc5dd942e0f28b0a04ecdb6835

SHA512
490c63dfc49766bcdd6e97e86db86950a28ae9716cd36be44e3d2a3692d5a60f5f9d1c23551da126f0f90eb7a41fa2189c6e5210ab20bca9c9890e81ddd05faa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\56dde38b-9f93-4a46-94ae-f2b3de0a9ba7

Filesize
671B

MD5
0bea71b76c69fe7910f19931673f3ef7

SHA1
a53b32f73a3683ced5aa7b7de14f2588d257be71

SHA256
561a608e1fb0619c8e352e55dac33e59aaf620fc400f825f1eab37863953b96d

SHA512
ccc4b32e1932c4ecccf08e8dd6a27b4a0fa71b2993c3e07f143dd215dd1c2ae1f0d081321182f0811cb5c2867de31ef2b73d6fd4ffe0af887fdf277e847d0755

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\916d361f-baf6-47ac-b847-5a6642032c35

Filesize
27KB

MD5
0b8377fc58f5bc4b0b6722e3be942d65

SHA1
dfd43adc92f4e07faf6cccc08c85036d9b35cddf

SHA256
1418570aef2d55af53c0f59a18d6c3682efaf6533499844f408c548e2910082c

SHA512
5af61ab0052548dc6c504c814ee6cf7dbe6ae589bed313af4c53b5f0923572b43652b9e0d195f32b40e1382c67f64b26c8a73579365f855c14323177658e2fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\afa8e2a1-851e-42c5-8fef-0ac7752612a6

Filesize
4KB

MD5
de849b7cdcd728e8f8934c713d1fe0e2

SHA1
21fc21f96f298cf519c4aabd41004958bf8b784a

SHA256
15d3fabaa66856cab0f6c5dfb3a4a837e0fad5fcd15aa31c61ac68ffe199e340

SHA512
c7860d25fd6db7cbf467c0ea6bb07d82e3e7210f55c1374f7be2587d874defd60fabd6c3c29d03a86ea495f0e8f6b6dc501c18b7167ca13d9cbc1fa7277f40ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\prefs.js

Filesize
10KB

MD5
bb27d3835d7a20f0eeb3cc2919a80e07

SHA1
a8901967c806a383809992cf9d13d355a3a3b872

SHA256
20cfad912d0d7eca6f9ecb41e8fb19ccbf504556e92574c32c18eea716905b70

SHA512
b1afc6a8b47c2ca91f4d29d3cccda756231e06e27a8a546b592c1d0bd936e00cf43f68857a8080a19dbd21c32d293dbcdef170ab49d4f474ee9f2b1a6583df70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\prefs.js

Filesize
10KB

MD5
38e49a79aeee0cf5e18c6d07131f0a2a

SHA1
d0aaa79caf06ec125ff2e3442e1a61190a5479a9

SHA256
d1035857f810b4beab5db417fdcab46ab7dec75e3bae7ea9787f16a305ba9b40

SHA512
779b93810f8c7f360ff75f6e2a182a74c61dcabb81f05372e6d2b0e5ffe3e8db34f4789eb580aee7f64843e787f577fe82ddf909aa37f7dcbe93cab56cb6df6a

Download Submit
C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-1-master\NjRat-0.7D-Green-Edition-by-im523-1-master\Server.exe

Filesize
36KB

MD5
f61eb64c8be0f800b62348aed0005455

SHA1
c475cb0d4776d4754198ea899d23150dcb8f6f44

SHA256
676e43b9321b3d76a74d605794cc86204fb50259b3c658eec2ed8e8cac2ca4bd

SHA512
934ed4e5fc1c9b78b1f0618432e7ea72b195b7c4307ef50d779ee63e299cd4f62f2b9a931f8a45e0a4e1b871d0828bb4a005c6b93dbf20f3f34cd71f22123145

Download Submit
C:\Users\Admin\Downloads\Njrat 0.7D Green Edition\NjRat 0.7D Green Edition by im523.exe

Filesize
2.5MB

MD5
db03ed78b35220d0a178d0c4cba27e76

SHA1
ba576c67c78c680e2f8c5375d294b5dbd7c3250e

SHA256
42b9c295089c7cf9141f5d0a40a1155cfd3627888579473f8c9b80e8e3ea1c48

SHA512
c272cfef5199450c903443ae3259191d1ecfd8795854e297aef36c819af8887233419b98bb54e5e5894846a1454c398991487547191c66de00881c31e6d1ae93

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 264809.crdownload

Filesize
2.8MB

MD5
77ddab4d4d6660d37e196938a5cc8979

SHA1
1401c14fc8b6e1cfd3d27ae1221e3868f5d0bcea

SHA256
eb37f92d1b15e9fefd836b1dabac9ead57eb279b1744f9ca51622bb608b05f86

SHA512
3797bf795a4554bac2f0f8ff21bfc9a6b9a79378c1cf89a8247f2c2905975dd34fc6098b16dfbde348f3384e805b88ed639e35a919769579d37cd9a94bcb5ca0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 352370.crdownload

Filesize
3.5MB

MD5
e92757fe498ab2589b04d5c5c0147d9d

SHA1
b050397d7e6c826a71038c1d9687a4f13515804d

SHA256
389b0402dc7e8a6e361ccdf332beb41f57f4d40b8acdd3d3493b87555ee8ddd8

SHA512
a6199d6fd416577935504ea2760ecfbc693c452c36583614c614a195f584b3ec1186b76d228977e67e259afc1546c88c96e64ddd8e235a42485a2235322dd183

Download Submit
C:\Windows\TEMP\eifkkeejnqte.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/4744-1188-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1196-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1197-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1201-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1200-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1982-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1983-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1981-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1192-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1199-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1198-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1189-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1195-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1980-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1187-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1194-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

Filesize
128KB

Download
memory/4744-1190-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4744-1191-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5044-1181-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5044-1180-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5044-1179-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5044-1183-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5044-1182-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5044-1185-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download