njrat | hxxps://github[.]com/charlie-60/NJRAT-ALL

System Information Discovery

Processes:

NjRat0.7D Horror Edition.exewininit.exeNjRat 0.7D Horror Edition.exenjRAT Arabic.exewininit.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	NjRat0.7D Horror Edition.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	NjRat 0.7D Horror Edition.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	njRAT Arabic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 9 IoCs

Processes:

NjRat0.7D Horror Edition.exewininit.exe1oiu100u.cal.exeNjRat 0.7D Horror Edition.exePayload.exenjRAT Arabic.exewininit.exenjRAT-Arabic.exebmz4kyyz.ipn.exe

pid	Process
5488	NjRat0.7D Horror Edition.exe
4276	wininit.exe
4320	1oiu100u.cal.exe
5872	NjRat 0.7D Horror Edition.exe
5776	Payload.exe
6020	njRAT Arabic.exe
6048	wininit.exe
3812	njRAT-Arabic.exe
3396	bmz4kyyz.ipn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
88	raw.githubusercontent.com
89	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ilasm.exePayload.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exechrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\54e5b453_0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\54e5b453_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\54e5b453_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_8086&dev_0022&subsys_80860022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\Downloads\\NJRAT-ALL-main\\njRAT 0.7d Horror Edition\\NjRat 0.7D Horror Edition.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\54e5b453_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\54e5b453_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\54e5b453_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

OfficeClickToRun.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732804776"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8EDDE341-6043-44F9-8E11-D9E3F6A00C16}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 28 Nov 2024 14:39:36 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXENjRat 0.7D Horror Edition.exemsedge.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Horror Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Horror Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Horror Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Horror Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\1 = 78003100000000007759717e10004e4a524154567e312e352d4100005c0009000400efbe7c59e3747c59e3742e0000005f3e0200000007000000000000000000000000000000809698006e006a005200410054002000760030002e0033002e00350020002d00200041007200610062006900630000001c000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NjRat 0.7D Horror Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	NjRat 0.7D Horror Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Horror Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Horror Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\1\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Horror Edition.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	NjRat 0.7D Horror Edition.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Horror Edition.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	NjRat 0.7D Horror Edition.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

SCHTASKS.exeSCHTASKS.exeSCHTASKS.exeSCHTASKS.exe

pid	Process
5700	SCHTASKS.exe
5416	SCHTASKS.exe
5884	SCHTASKS.exe
1728	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exechrome.exemsedge.exepowershell.exe1oiu100u.cal.exetaskmgr.exe

pid	Process
2388	msedge.exe
2388	msedge.exe
3092	msedge.exe
3092	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
5008	chrome.exe
5008	chrome.exe
5484	msedge.exe
5484	msedge.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
5012	taskmgr.exe
5012	taskmgr.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe
4320	1oiu100u.cal.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3520	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exepowershell.exewininit.exe1oiu100u.cal.exeExplorer.EXEsvchost.exetaskmgr.exeAUDIODG.EXEsvchost.exesvchost.exe

description	pid	Process
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeShutdownPrivilege	5008	chrome.exe
Token: SeCreatePagefilePrivilege	5008	chrome.exe
Token: SeRestorePrivilege	1512	7zG.exe
Token: 35	1512	7zG.exe
Token: SeSecurityPrivilege	1512	7zG.exe
Token: SeSecurityPrivilege	1512	7zG.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4276	wininit.exe
Token: SeDebugPrivilege	4320	1oiu100u.cal.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeAuditPrivilege	2764	svchost.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeDebugPrivilege	5012	taskmgr.exe
Token: SeSystemProfilePrivilege	5012	taskmgr.exe
Token: SeCreateGlobalPrivilege	5012	taskmgr.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: 33	2192	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2192	AUDIODG.EXE
Token: SeAuditPrivilege	2076	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	2304	svchost.exe
Token: SeSystemtimePrivilege	2304	svchost.exe
Token: SeBackupPrivilege	2304	svchost.exe
Token: SeRestorePrivilege	2304	svchost.exe
Token: SeShutdownPrivilege	2304	svchost.exe
Token: SeSystemEnvironmentPrivilege	2304	svchost.exe
Token: SeUndockPrivilege	2304	svchost.exe
Token: SeManageVolumePrivilege	2304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	svchost.exe
Token: SeIncreaseQuotaPrivilege	2304	svchost.exe
Token: SeSecurityPrivilege	2304	svchost.exe
Token: SeTakeOwnershipPrivilege	2304	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exeNjRat 0.7D Horror Edition.exeExplorer.EXEtaskmgr.exe

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
5872	NjRat 0.7D Horror Edition.exe
3520	Explorer.EXE
5012	taskmgr.exe
5012	taskmgr.exe
5012	taskmgr.exe
5012	taskmgr.exe
5012	taskmgr.exe
5012	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

NjRat 0.7D Horror Edition.exeExplorer.EXE

pid	Process
5872	NjRat 0.7D Horror Edition.exe
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of UnmapMainImage 3 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	Process
4004	RuntimeBroker.exe
4156	RuntimeBroker.exe
3280	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3092 wrote to memory of 2184	3092	msedge.exe	84
PID 3092 wrote to memory of 2184	3092	msedge.exe	84
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 1776	3092	msedge.exe	85
PID 3092 wrote to memory of 2388	3092	msedge.exe	86
PID 3092 wrote to memory of 2388	3092	msedge.exe	86
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87
PID 3092 wrote to memory of 3272	3092	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1828
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x330 0x48c
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2908

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/charlie-60/NJRAT-ALL
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1fe846f8,0x7ffe1fe84708,0x7ffe1fe84718
    3⤵
    PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 /prefetch:2
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
    3⤵
    PID:3272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:3992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    PID:636
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:3672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
    3⤵
    PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
    3⤵
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6844 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,18206467823637024685,7110510286612368595,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 /prefetch:2
    3⤵
    PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:5008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xbc,0x124,0x7ffe0be5cc40,0x7ffe0be5cc4c,0x7ffe0be5cc58
    3⤵
    PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,12994555829500952478,18104097203379666370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1868 /prefetch:2
    3⤵
    PID:2972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,12994555829500952478,18104097203379666370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:3
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,12994555829500952478,18104097203379666370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:8
    3⤵
    PID:5200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,12994555829500952478,18104097203379666370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:5332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,12994555829500952478,18104097203379666370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:5340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,12994555829500952478,18104097203379666370,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
    3⤵
    PID:5640
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1051:90:7zEvent24731
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\NjRat0.7D Horror Edition.exe
  "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\NjRat0.7D Horror Edition.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\wininit.exe
    "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\wininit.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\1oiu100u.cal.exe
      "C:\Users\Admin\AppData\Local\Temp\1oiu100u.cal.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4320
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "Masonwininit.exe" /tr "'C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\wininit.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5700
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "Masonwininit.exe" /tr "'C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\wininit.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5416
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4676
- - C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\NjRat 0.7D Horror Edition.exe
    "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\NjRat 0.7D Horror Edition.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\Payload.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4844
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1968
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:5012
- C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\Payload.exe
  "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT 0.7d Horror Edition\Payload.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5776
- C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\njRAT Arabic.exe
  "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\njRAT Arabic.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6020
- - C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\wininit.exe
    "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\wininit.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6048
  - - C:\Users\Admin\AppData\Local\Temp\bmz4kyyz.ipn.exe
      "C:\Users\Admin\AppData\Local\Temp\bmz4kyyz.ipn.exe"
      4⤵
      Executes dropped EXE
      PID:3396
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "Masonwininit.exe" /tr "'C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\wininit.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5884
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5372
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "Masonwininit.exe" /tr "'C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\wininit.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1728
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5816
- - C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\njRAT-Arabic.exe
    "C:\Users\Admin\Downloads\NJRAT-ALL-main\njRAT v0.3.5 - Arabic\njRAT-Arabic.exe"
    3⤵
    - Executes dropped EXE
    PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4884

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2708

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2848

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4112

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4484

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3300

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery