crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/13432-316279-0x0000000005720000-0x0000000005748000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00070000000241bf-348380.dat	revengerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/7524-316832-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/7524-316844-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file 8 IoCs

flow	pid	Process
105	2132	chrome.exe
105	2132	chrome.exe
105	2132	chrome.exe
105	2132	chrome.exe
105	2132	chrome.exe
105	2132	chrome.exe
105	2132	chrome.exe
105	2132	chrome.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7060	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000200000002362f-505.dat	office_macro_on_action

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	Remcos.exe

Executes dropped EXE 4 IoCs

pid	Process
14004	Remcos.exe
5464	Userdata.exe
6764	Userdata.exe
12248	Userdata.exe

Loads dropped DLL 1 IoCs

pid	Process
6088	WINWORD.EXE

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
104	raw.githubusercontent.com
105	raw.githubusercontent.com
175	0.tcp.ngrok.io
281	0.tcp.ngrok.io
329	raw.githubusercontent.com
200	0.tcp.ngrok.io
261	0.tcp.ngrok.io
350	0.tcp.ngrok.io
103	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	Userdata.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	Userdata.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BreakTart	WINWORD.EXE
File opened for modification	C:\Windows\_CutButterball	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Userdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3556	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880919746474275"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
4472	reg.exe
3420	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3556	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3888	schtasks.exe
7236	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6088	WINWORD.EXE
6088	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
5520	chrome.exe
5520	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeTcbPrivilege	4124	svchost.exe
Token: SeRestorePrivilege	4124	svchost.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
6088	WINWORD.EXE
6088	WINWORD.EXE
6088	WINWORD.EXE
6088	WINWORD.EXE
5464	Userdata.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 4724	2696	chrome.exe	86
PID 2696 wrote to memory of 4724	2696	chrome.exe	86
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 2132	2696	chrome.exe	89
PID 2696 wrote to memory of 2132	2696	chrome.exe	89
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 3088	2696	chrome.exe	88
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90
PID 2696 wrote to memory of 2280	2696	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca1cfdcf8,0x7ffca1cfdd04,0x7ffca1cfdd10
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2112,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4232,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4268 /prefetch:2
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5100,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5096,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5044,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5844,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5320,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\NetWire.doc" /o ""
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6088
- - C:\Windows\SYSTEM32\runonce.exe
    runonce.exe
    3⤵
    - Process spawned unexpected child process
    PID:12168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5232,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3204,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5700,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5924,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6064,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=1512,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6104,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5960,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5040,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5000,i,3130032893092754575,14477180042541746305,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:6972
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  PID:12596
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    PID:12892
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:11652
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3423790231 && exit"
      4⤵
      PID:9508
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:52:00
      4⤵
      PID:12740
  - - C:\Windows\4659.tmp
      "C:\Windows\4659.tmp" \\.\pipe\{B88FE56F-F595-4414-AAD7-1E51EFD64681}
      4⤵
      PID:11828
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  PID:15264
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    PID:1500

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124
- C:\Windows\system32\dashost.exe
  dashost.exe {25829d4a-e62b-493b-9e36258bab78b89b}
  2⤵
  PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7800

C:\Users\Admin\Downloads\Remcos.exe
"C:\Users\Admin\Downloads\Remcos.exe" C:\Users\Admin\Downloads\WarzoneRAT.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:14004
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12572
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9688
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3556
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    PID:12248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Userdata\Userdata.exe"
1⤵
PID:12420
- C:\Windows\SysWOW64\Userdata\Userdata.exe
  C:\Windows\SysWOW64\Userdata\Userdata.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9428
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4472
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Userdata\Userdata.exe"
1⤵
PID:14420
- C:\Windows\SysWOW64\Userdata\Userdata.exe
  C:\Windows\SysWOW64\Userdata\Userdata.exe
  2⤵
  - Executes dropped EXE
  PID:6764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:12424

C:\Users\Admin\Desktop\WarzoneRAT.exe
"C:\Users\Admin\Desktop\WarzoneRAT.exe"
1⤵
PID:13432
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12B5.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:7524

C:\Users\Admin\Desktop\CrimsonRAT.exe
"C:\Users\Admin\Desktop\CrimsonRAT.exe"
1⤵
PID:14560
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  PID:11288

C:\Users\Admin\Desktop\NJRat.exe
"C:\Users\Admin\Desktop\NJRat.exe"
1⤵
PID:10252
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:7060

C:\Users\Admin\Desktop\RevengeRAT.exe
"C:\Users\Admin\Desktop\RevengeRAT.exe"
1⤵
PID:11300
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:6900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:15096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ej_ydvxu.cmdline"
    3⤵
    PID:13100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB202.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc539FBD5F6BEF46A083A0EFF3A8CE65FA.TMP"
      4⤵
      PID:4640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fnufqdyb.cmdline"
    3⤵
    PID:10368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC413.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24FD167A26F344E995EE87DE3EDE8E65.TMP"
      4⤵
      PID:14076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\txhqhozk.cmdline"
    3⤵
    PID:11052
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    PID:12336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:7416
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:12752
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\voxrs1hq.cmdline"
        5⤵
        
        PID:7040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6203D34C65DC41D993CCD53714DE29F6.TMP"
        6⤵
        
        PID:12472
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4anug0h.cmdline"
        5⤵
        
        PID:14664
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES691D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89998E438B084400B7F983A813AFC2D.TMP"
        6⤵
        
        PID:9804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7236
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btsrge4f.cmdline"
        5⤵
        
        PID:11024
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES784F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39153325C6784A81B4C88398A478755F.TMP"
        6⤵
        
        PID:6724
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y2fionwr.cmdline"
        5⤵
        
        PID:1128
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc299D647B49474CED96EBD06C59C4CA31.TMP"
        6⤵
        
        PID:15296
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\396ockjg.cmdline"
        5⤵
        
        PID:8440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9424.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C003A5D97214D2896DCD11FC726FCE8.TMP"
        6⤵
        
        PID:15180
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nyva2css.cmdline"
        5⤵
        
        PID:11424
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1908095C63E4A2CA556DEC65964B7B.TMP"
        6⤵
        
        PID:6428
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\negif2ao.cmdline"
        5⤵
        
        PID:10128
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc737F12D77D2D4157AD8BD5CCFF563B4.TMP"
        6⤵
        
        PID:3048
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luv_7zsm.cmdline"
        5⤵
        
        PID:8052
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC17E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1E55B51CB984A12939D39A18ECCFE43.TMP"
        6⤵
        
        PID:9792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\76okgb6c.cmdline"
        5⤵
        
        PID:8076
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC95D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB3098C77B9C472B882F79E2EA75AB7D.TMP"
        6⤵
        
        PID:10968

C:\Users\Admin\Desktop\VanToM-Rat.bat
"C:\Users\Admin\Desktop\VanToM-Rat.bat"
1⤵
PID:12524
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  PID:12584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\VanToM-Rat.bat
1⤵
PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
1⤵
PID:10236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8788
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13976
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12340
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3544
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12376
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10388
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13108
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10288
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11512
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8612
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13216
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12612
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7228
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:704
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11688
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12696
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11392
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9476
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12776
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10208
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14444
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7192
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12052
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7332
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12016
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7744
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12976
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12980
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10036
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7820
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2068
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9472
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10872
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9056
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11480
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12396
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8884
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11492
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8888
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2064
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4036
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14060
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8240
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10888
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13112
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10112
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7072
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12896
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13368
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14944
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10532
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13200
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11904
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12252
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12488
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14792
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8768
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13896
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7824
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13948
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11900
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9736
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1404
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11856
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6516
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3704
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10644
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14624
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13596
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11396
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13764
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7984
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5980
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11972
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6688
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7396
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13220
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12888
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11140
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9304
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:15092
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9696
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4620
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4472
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11280
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1500
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12756
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14504
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9084
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14764
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14200
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13672
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9716
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10784
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12916
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10148
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12892
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4544
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14864
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10420
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10456
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5396
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
1⤵
PID:12276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8540
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7820
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14532
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9872
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10412
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:15260
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2868
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9416
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13592
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9832
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7164
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8604
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8860
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7788
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14400
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11948
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10552
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8180
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10652
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13284
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12132
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12364
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1452
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7628
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12956
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12864
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8792
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12688
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8472
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12928
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6576
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7008
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9104
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7408
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13596
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11348
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11132
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8252
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14564
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13088
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11684
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5900
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5340
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9152
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6476
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3584
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13960
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5460
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5524
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9760
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11836
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13856
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7128
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6656
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14448
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13940
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7320
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:15068
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9616
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8028
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8652
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:15152
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14900
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12392
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7640
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8524
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8756
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7516
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14044
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:15012
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5572
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7540
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12832
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6904
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12612
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12984
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4932
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10380
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8884
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1376
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9036
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6660
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10560
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9548
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11432
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12776
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5152
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:764
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6028
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11920
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11552
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6868
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4348
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8568
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2784
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5468
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14496
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1504
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11424
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6624
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10588

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
PID:7144
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:12832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14172
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11392
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14056
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5804
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2576
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9380
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11700
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8336
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12940
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14180
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7188
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6016
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9108
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13980
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8964
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:684
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13916
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11824
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11368
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12892
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10028
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14776
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13284
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11852
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6800
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4032
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11900
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12040
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11496
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9196
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4280
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14052
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13048
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6264
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4252
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2160
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6348
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14236
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:9548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8628
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12728
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6996
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12564
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8144
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8312
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12744
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7848
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5304
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14212
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4064
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:8684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11408
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5420
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5776
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6104
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14884
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7972
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9292
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9652
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7860
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6860
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5388
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1084
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5444
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11116
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1548
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12048
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:10124
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6948
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12128
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3820
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9228
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:14544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5188
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11108
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13544
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13020
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11244
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14640
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6944
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6932
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11128
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:656
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:15332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14456
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:11120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5636
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:9200
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5428
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:10084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4704
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:13340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13792
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:12516
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5520
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:12364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1936
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:8832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:15128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:11800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:14888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:13656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery