troldesh | 0d5855561068de6c066bc59f57bda18d4562c9251eab6efdcc62c2fa841a31df

Resubmissions

03/04/2025, 08:57

250403-kwqt9swn12 1

03/04/2025, 08:56

250403-kwcyeattfx 1

03/04/2025, 08:50

250403-krvyeswns7 10

Analysis

max time kernel
191s
max time network
281s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250313-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250313-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
03/04/2025, 08:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware
Size

284KB
MD5

817dadcc515a58042452c5cba374b778
SHA1

f2ccd9ad0197b1a90b04a1e5812dde9446743ae7
SHA256

0d5855561068de6c066bc59f57bda18d4562c9251eab6efdcc62c2fa841a31df
SHA512

a6864ce2df4eeffe4457a206f3c1bb85be80ce65f4743aef2facb0f2b18d33b7bb8e8605c11fbbbdc5d57324f8496832b211e39c7930eb0e5b957891d681049e
SSDEEP

6144:UQNGVp8c/saqkPV97HILqgIDSF5Iz9BvZJT3CqbMrhryf65NRPaCieMjAkvCJv1Q:VNGVp8c/saqkPV97HILqgIDSF5Iz9BvF

Score

10^/10

troldesh wannacry defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 3 IoCs

flow	pid	Process
122	4768	chrome.exe
122	4768	chrome.exe
122	4768	chrome.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6124	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB41D.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB424.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 23 IoCs

pid	Process
1820	WannaCry.exe
5960	WannaCry.exe
5172	!WannaDecryptor!.exe
5600	!WannaDecryptor!.exe
1140	!WannaDecryptor!.exe
4124	!WannaDecryptor!.exe
5200	NoMoreRansom.exe
2320	csrss.exe
4456	NJRat.exe
4684	NJRat.exe
3836	NJRat.exe
2960	NJRat.exe
6068	NJRat.exe
3088	NJRat.exe
5636	NJRat.exe
4592	NJRat.exe
5584	NJRat.exe
5956	NJRat.exe
3152	NJRat.exe
5416	NJRat.exe
1536	NJRat.exe
6060	NJRat.exe
3472	NJRat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
120	raw.githubusercontent.com
121	raw.githubusercontent.com
122	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5200-2218-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2219-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2222-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2220-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2320-2229-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2320-2248-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2251-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2269-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2285-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2309-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2328-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2331-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2333-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2335-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2354-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2365-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2384-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2394-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2396-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5200-2397-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
2884	taskkill.exe
3288	taskkill.exe
1964	taskkill.exe
4516	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133881438894815477"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
3700	WMIC.exe
3700	WMIC.exe
3700	WMIC.exe
3700	WMIC.exe
5984	chrome.exe
5984	chrome.exe
5200	NoMoreRansom.exe
5200	NoMoreRansom.exe
5200	NoMoreRansom.exe
5200	NoMoreRansom.exe
2320	csrss.exe
2320	csrss.exe
2320	csrss.exe
2320	csrss.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe
4456	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5172	!WannaDecryptor!.exe
5172	!WannaDecryptor!.exe
5600	!WannaDecryptor!.exe
5600	!WannaDecryptor!.exe
1140	!WannaDecryptor!.exe
1140	!WannaDecryptor!.exe
4124	!WannaDecryptor!.exe
4124	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1916	2028	chrome.exe	96
PID 2028 wrote to memory of 1916	2028	chrome.exe	96
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 4768	2028	chrome.exe	98
PID 2028 wrote to memory of 4768	2028	chrome.exe	98
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 896	2028	chrome.exe	97
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99
PID 2028 wrote to memory of 3992	2028	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware
1⤵
PID:1684

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb74f2dcf8,0x7ffb74f2dd04,0x7ffb74f2dd10
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2068,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1644,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2408,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4464 /prefetch:2
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4744,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5456,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5748,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5420,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5472,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5988,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3292,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3456,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3452,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3468,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3464,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4892 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5856,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4864,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1280 /prefetch:8
  2⤵
  PID:1396
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 134401743670351.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5828
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4560
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2884
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3700
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4780,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5984
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4756,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:5376
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4468,i,7167500944605649100,934838202007503612,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1340 /prefetch:8
  2⤵
  PID:928

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\WannaCry.exe" /r
1⤵
PID:5792
- C:\Users\Admin\Downloads\WannaCry.exe
  C:\Users\Admin\Downloads\WannaCry.exe /r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Windows\csrss.exe"
1⤵
PID:1076
- C:\ProgramData\Windows\csrss.exe
  C:\ProgramData\Windows\csrss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3604
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5748
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5752
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4292
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6112
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4508
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4532
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3772
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2072
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5152
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3996
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4968
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2844
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:708
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5116
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4472
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1748
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3700
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5460
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3516
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5952
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1648
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2192
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:392
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5204
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1432
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4592
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3028
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5252
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1252
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1212
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3152
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5360
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6048
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2456
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3164
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:7100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5368
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5072
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3836
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6244
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6252
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6464
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6460
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6660
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7024
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7032
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1880
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4656
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5484
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3824
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6444
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:548
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1088
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4888
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1396
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3028
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4672
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5136
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6236
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6848
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6944
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2528
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2172
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5256
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4636
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6408
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5304
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6308
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6240
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6412
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4484
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2492
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6668
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2448
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6532
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6752
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7076
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7012
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6908
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6720
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7128
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6176
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7144
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5336
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2192
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6236
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6224
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6316
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3088
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3628
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1092
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6208
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4320
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5424
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5236
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3972
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5332
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4412
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:944
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6872
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6920
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3696
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6916
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5304
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:852
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6484
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4896
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5588
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6112
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5972
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3824
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6620
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1776
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6284
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6260
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7072
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6736
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2680
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2848
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2364
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2636
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3352
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2964
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4680
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6972
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6896
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6664
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3088
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4252
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:788
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1384
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7064
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1148
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5348
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6488
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3036
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:1344
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4452
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3488
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5484
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6544
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:6908
- C:\Users\Admin\Downloads\NJRat.exe
  C:\Users\Admin\Downloads\NJRat.exe ..
  2⤵
  PID:6296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:2728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c6055 /state1:0x41c64e6d
1⤵
PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\NJRat.exe" ..
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
23c06c8ddbcd07acf8b8566ab34b9dfa

SHA1
d552c6ab27917343c008137aec1e16759bed0ec3

SHA256
f23d8527bd74d3e6afb73640956995021e33c98a930f4eb4b00e3c221b1b4395

SHA512
3d0a1cd0ad72c888cd7c235bd6a9b5f592440581020bc3788b666ddc1ee4a80f8f577d0569f562c920fcf5323964d467feed1f7504a6c4dcfb7341706fa6ef11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2c9245e22f613133e1e49d5f9f437946

SHA1
a12b38617d9de6f352a932a9ebe75e7bd08a05d1

SHA256
6fa3ffa5cdf0e55a2a3aafb075fc2fab7eb434e837465500230b808e71bc1346

SHA512
bade1070ceb9f6f8d285aa20c2dc10f85b4490b6b8c49e86a337bc3cab7e655e00a36ee7a7de8d94fb9d5a325961f6757cd27a42ea25d55711eb75ffc3bd9fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
995a52a2960b8842133c88c797bb3d5c

SHA1
1787c17b93318472d4b47a3d236fcfa8d1b5ebc2

SHA256
cc1b08668611f228d382198f893c83ea3f43c5beeba4b3db884d08ca0ceed7bc

SHA512
ffec927dc7f7970f61489dd30d6e15561fbce78c9bb381d4582398c3e372a8e3d4e28db0ec82a66f939cb167af979c08f9af11d0550f5ddd7d3c1a8b80a8672d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\128.png

Filesize
4KB

MD5
35696aba596d5b8619a558dd05b4ad40

SHA1
7ecc1dad332847b08c889cb35dda9d4bae85dea8

SHA256
75da533888189d13fc340d40637b9fc07a3f732e3fcf33ec300f4c7268790a62

SHA512
c32f20865f736b772844aaa44572369e7ae85b9f2f17f87d61694acc54487309a32bc4830ed8d9cee8b593babecf728c1ea33c2b9588649be0e4f1e6ed7ee753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\offscreendocument_main.js

Filesize
121KB

MD5
5656f8678589cf436a2e5c532a036a73

SHA1
af8b89f2c1596298b1652be2b0c83ec25ffcfb21

SHA256
73e898c9a5efe3a6b8c13b53880b55dd588ca09d543ecb102d965eac32bb12d0

SHA512
7d2b0a2a65c607f0a7445e0afbb31497d0d020a4a439935e49d14de4539e555c76c03c3f60fbc78cef300ee168ebff4132d7b2ecb17acebb66ded18720c46aaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\page_embed_script.js

Filesize
338B

MD5
c14d617e06059a9951c38413f8d3cbc4

SHA1
1418d66bda6097888b1467316b349df77ddcc0db

SHA256
fbd9369840ec4d8f3102cd865c5186e0c65de80d67fbaa244cb7513ba839de36

SHA512
80b14b7cc8a62f482ac5e5ab7dc9c74411fe3c9bb5675536889a552187bc10aead89110ff0479d37c81ce367474d9b7af059059622b019cb17731efc84f5284b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\service_worker_bin_prod.js

Filesize
130KB

MD5
d47e43b89edce51bc01fa656962401fe

SHA1
8cdc456964cfbcc7ca62e58d6258c8535b48d980

SHA256
7e2aa9557db237ee59473f8079197e4de851f8faddf3575bc345cbde6aa49dfc

SHA512
548b6d023154d4404567e331ffdd7a740d6144924fd489e2d7fda4a18db94c67bbc493b72058e92878b8d2d1a8cbe58bf4ae7c5f73d7b3bbe6909c8e78bb828f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
932cdd93479afed1d9f275f125049800

SHA1
0e37e3d1ab08d91272015c9c9c0daaaaefe5ad2e

SHA256
ece980f803090e46e309e509318053d75bbc37c49583d84f568d14691d4361b2

SHA512
231c62c50ddf5d146be9d4c66e0e9c036b16290d6f92fc060dfa132981f0eee8b9587973e4f9985eca61f1bdcdee46a0b30f92ea2bf6c4556801d809de6ff84d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7d57f8c98535cb729f07249a64a5f588

SHA1
f7348bf3b35697b6aa4b137f4d5d4ecc6313a9b0

SHA256
8f92545a6904e4c90fbd9f84e374269e10e85a3021ff4d907e76feaa964b56ee

SHA512
2fcfa2dee5858e4cfbf90a693b8dfb2f809af33d7bd16a597bdab55766489ba5619e69cb5d80ada01d06c6312f1bb9a05478c8d9cfa5900ebcbdd479229352f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0dbea2ae5d0f72c7c205892fdcfb77ee

SHA1
01b0c8f45a67fba12a2e0eb277af27ae70df612b

SHA256
d7c4528c550490db605e22aad0c006326eb1dbc944f998ca9e7efe8a9a421256

SHA512
9e5b3e09e212562254dc6e3184153a40f8a77b9156d670f5908c99ceef099d9eb7f37e3ce1de6bb318a3c7d6aab0b3d7663b38731ee1619967bc8fb05033f0c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
5cf88a9253d6d55a400315c911976094

SHA1
22bcb6182e9174ba954ffddca99c5e5494f7d56b

SHA256
8b9eb55652f1e3631ee4988b1516962a83d5fc36ed7ada22ee969739ec62af2a

SHA512
ad020eb6cb6bd991e286fc4c6b6cf1244607a38324782dda3631ca141ed53b7fdc18b0054aaf0320e79e65c49a684b54d92354bae6b99b3422f24338b1152ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
fd7fb19bf73031fed88ecd51a2fbb691

SHA1
4ae8149c0aad4bc92575b4bdf22c11ee0a10da4d

SHA256
322a29f51c827484034171b6fc59e0129c2a2cd2b1cb19a6a25fe4a4d84e55a6

SHA512
1b1c5736f0b04d3fe308d5ca2e4eb888d2433401e1f576ef9a11637c8328698cde47ac994522487885b331d4bb1538857cd6885268419993486ab8c5093f52bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
37219a635738ba1e2709467a17dffcb5

SHA1
17e6a75960737c246e9451e8572c3cc8a3fdd764

SHA256
982284893cdb0cdcc86103daeb397e872d489b60b204656d7bcc691e082c900a

SHA512
b1677eac4b826e101e66c52bb9793d95ea605509730954040be0c20ed2f50b5435aea56e38f7e96159d8cfb9b3bf6832f7e476f75408fde25f54c6be0aaa2bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
7359f4b0a51467c0f663ad6b927c808f

SHA1
16ac0026f6b3192ddcbe96461a0ed853ecb8f36b

SHA256
64578ccdea7db038696321fedaa6c07c13144e63126482b104b8d4f5ccc2f09b

SHA512
5f4135393d6c9153d14c124bf849524bcb5da195924b35ee73763cf767c34d6f643cd89a7034fd4c2694654c1b5cb36481efcad7415ebe768e1f53fc13244db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
36f35a4813b52ae11f209980cf565e70

SHA1
36210c9f7d0ca21c4be029bbd4d0f7ca3f3aa8a0

SHA256
19c066af8e108649a27746e201760bcb409772d9d1eb3868ee857df466ed48f5

SHA512
e01e8388523bec3919b440dfce2a01d287d8ff003bb38d87bcc2a96f3c62d7888971c1cb124ee41ffe1c61c242223dde6d73e33cf51c3410d056c28453ff469d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3cae91db0b80cdebb272807dbc2d3d62

SHA1
b969ef51292b2bd0d1ce4cc7d704897479f3318e

SHA256
19af5cae486596ff491981b72ef749e1fbc0b227046ca1906d5e2d8598d7859b

SHA512
f6aca9240bfdee51f192ae5d9f6fef2b4d37dab6740ccad2ce51f670cf36ef29d6ff09a263cf0b1b28573bc4f95a329caaafd034f02c291abb314e0980d28b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1f894972e264d204399dd1f1b7274304

SHA1
c026c9761c75148edc835545603060465f9f9a41

SHA256
1a1d9e566f2c242b6c27120cdd589bfa98ff7ec8175a87df2f2af3dbda7eaa73

SHA512
1dfc87bf3c60f251f279d9450e1600f59b86b80a5e5b3882a3105a0c1088d00cdf7e11ad90a8e3567c6e39b7f31e4a056355b61ce46d76925ea94ab60b6cd0ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
58b1424b9915262da1eca2468151024d

SHA1
b1236d68e60c04053b457074f39c8f418a389097

SHA256
28ebfaef48bea71fe5abf86663854e45edf3a3a83341f974c3517708165008be

SHA512
d44d38f1d804dd29f503b36681e0d76444b49bf4848b8943db7f626bd1ee741ad58af9375c696a8f56ee35a50b9d7e8602bdbc10dd124f2005c5df6d9da40375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2c928a6d92db34f9fd3b71df6c9b59a7

SHA1
76dcf0f8e9c160216c2ab92574ba0f6c3e6dce5f

SHA256
4ec6ec5708ae1c1f9d96c93a8098a29a9b3f9e1a641c8e9e6829153e9c4396b6

SHA512
84bdb06d5e7215be446cb8e67ebbc5b9978c861b3eda7e861713fb2f63be43b52009c5b3d953f11ef0953e40c29fdff26c083e759c1bb730e0ac494c647fb2f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8811104d20af064a4893931001518661

SHA1
5542ba2e3dd842b95688fd92efd9cf1ddc35e62f

SHA256
8b85354885a9a570ab7b85a104ae8c4390fce2ac68e74dd4acbd836acb6d8a0c

SHA512
e7aa3937b7c47b36e3183505d933582a50bef3378b203633e180add28cd11d97c49d44c6a394ddda7b61db649b9720e1d86a03375e86b1dc58f675c7088dcc20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f5888f8d68b48bef004c0ff6bf6d1704

SHA1
c9a104bcd9bc3eeb870459a0c556d736f026db75

SHA256
f251762f21c1593fc2a0127a7fb656c920977c73a7fc3ce5b3eb8ca0f7093af4

SHA512
8dbcae40bf00f93d4103f72bc3d44ab99fb354025269e4514d0cf80b29c795aaf7107d138da22d5b1f01c1f1c67e32f79a1ab9f064498098cbf7a972e88a3d64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
af5e1b3dfa43c2ed9d0d5460a8e7d056

SHA1
4b792b2c0343e980d9f62b7dc6876de039bffa07

SHA256
429c0bc646435f7e851654e73a025316a8ca4ba63cc953774b410838115e826d

SHA512
e5e9edf098a31c98a4e9d8f3dc9f69563630f2a445fa618215b55e19c37369ae6ed19f3d162c5b9424547a486ed774a0410ada488ff3e1d87a8336ba5d0681a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a9c6b94f073f59cfce41e3592ca3ee95

SHA1
5d2fffae71ff189ad9b7fe485b5a58b0c4cce213

SHA256
41234e30f091f643ea0ebb26fed15a3eaa1359ae2b8016eaa8e5accbeba49f6c

SHA512
7f59064d9ed116b71b250a8a5710352f1c4c1af3fe0f23dff3182de729558a0316d2f4e17c71dd39400e07250c89a16de4e5a584085ac3470b35da339f07bb7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e8b9e0eb7b2a5c96af0ca5a6e85999b8

SHA1
13c5daae5410ee7cd71fc5fb4e9909b3d502e693

SHA256
a444f6935ad842a41a8081c39c107ce165d82bfd383e3ea5f81f3329f978203f

SHA512
9d1b1e37f5d48e74b94f9e0cece383a76515f5c9f896cce41aefc7c9228ed04b7a243a286b65663390017fe40e98bcb7efc2796eb0376d7cc67740fe0755a0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f05b.TMP

Filesize
48B

MD5
877622fe1e06890f863dfeb466ede252

SHA1
e0b054e8459476abe293ef1a0012fc3d20889232

SHA256
38b852102900c28ca29f51e62e3c0e22323427f47c4c992b09181c1456126e7e

SHA512
43522d6ada3d0a7a9b90b84ca81b0c78ed8873d35f4c6fea1eb81674727b42b02729cc5eaa9b70026bc0ee81b8ad10835b7528893ba18374c9a95353318e5aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
15d440ab082db640eb534cf95220d8e7

SHA1
da8076a1dd859b47590f7a6fc79ba1c61d2648dc

SHA256
00a6fcc83df94c1389bf6a8191b18552fb03b861150d5beb93259dc1a3e0b033

SHA512
ab1ac346ec17f61986343b393799b7237eab2a102f55b76e16636a4b741da8bd7dfeeecd2fd3c435fa7034fafa33747e6a2168d4628709a0d2139b1f05de2d37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
4f98c54a4f8e5a88096a39f396d6d093

SHA1
7e53ec4538c5212773b5e497550a92b84ae4fcce

SHA256
a3c813c05e6f16d568fa0f807b946582137d7023275fa71fd896be804e58122c

SHA512
f138c1517752b55a23fe7dda1d48a65c1bbdcde8bff4322223fa9d0762bab056ef6f75591293e56ed2c08ba3933de9856d8bee0e9325a7ca96665201482552e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
069386441eba5350255040259be385f8

SHA1
243954c7a0db79c17920131e5efa38c1f430d672

SHA256
ed7194567a6d45841e4a75a969709befa54078e384df0706d98d351065ed3274

SHA512
8dd2dbe46dba0342f582a981caea66d059d08904c739b7e786316d98650462f3cd25c4edfd306df3885b1927df0828ae23309c077c04b9db6f8a1f4be8192bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
179ef00444266a3a2a6658196cafa53f

SHA1
38db38846401bb9458d2a28f0a1452d2e992670f

SHA256
7c6292ec05dc044e39247232f983291333a9056760ade31ea694ceb10a93279f

SHA512
8695ffc8477630cb3d81dc66a491e8091d9eddce955152e6019e773e56219d425b82e242fd5f34e1a30d63fa7c073eb4d60fae5894c03e6f395f430016c705c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
850efe88508753c95f952519b15b037a

SHA1
d8939bae626035dcacde7eec17a8b30733f43998

SHA256
181200c2094846cb32d846fd1e26f3f1490c22c2358649ea39656d4a67f1916e

SHA512
2d3c8f210916257fb45756831baf335c001514d3962d0315957cf84d87c8e9dea5d6148d4501bd93c2dfb908818ad408e99a85dd36b22adcd8459be000b324a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NJRat.exe.log

Filesize
319B

MD5
cdab7719c71b2844a3e7ff9e41894b8a

SHA1
8e6e0e55695e468eb3c237f21340c9d30cab922c

SHA256
e84a57ed5465aaca393476f6271a2413dddad154cbae40827c4639bfc0b3e3eb

SHA512
ec92e8fc3ce02336eea401f9db823ac0a2ad87bb41130f493e72f3c5ca100a461d6296a710afcc93e1fe1fc8630c5e0029e17f58583520077a3c80ad794d9dc9

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
289cbcbe25df26aba3a5129958a6eb65

SHA1
104f9d8d941b861b2389ff55e6a8e1e7a4e2a0ee

SHA256
6e83bce3dbdb589be2e37248510fe2d241f24e496f9204acc3e80bd32ce9b502

SHA512
a2d92920e9effdb42eb12ddd23267151ab940495f7d66c42b140bb35d0904480440d4a7f084206469244d2308b42bd9c05e909a0d1cb4c7de4f23142cf1348a9

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
838ccde6c00118562824973d6c8a811b

SHA1
858a730aeda74b65310f8249e5e40779a7784528

SHA256
302865e8eda32581bb13adb200d14882769458106b009d2ccef8ffb21f60fe57

SHA512
a915113910bbba5892612a9fbb043f28f39c6f53dddd8b6366cc4c011962a150382c9d6fd53f84f79bc943a66c181eb743d53c9f5063b0d682e1ed49e62750f6

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
5c8db5b92e9ab735b60b7cbe6b065438

SHA1
40f5e5c5413ec2398e68fdc5daa8f0d6c190498e

SHA256
31a447210201dacd852d5f04b8fb45cc58c479774ffcd58553499f17bd009893

SHA512
fa407a98e14ceeb06569d50d396dd5c5299d55a3a4def3428a6520c3c1dccdc5d4ca9a1a4b069b3fc406429017f00bb33cba5f3e68c8d2ea0c17dcb19706a26e

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
49f358fcfe24bcbc448fce262292f387

SHA1
3f0d087e3fe81c961b406788ce968625aa5e2797

SHA256
a3eb92cfbf054d97ae3a8938afd07fbe4fe56a627d6ed3f717cb5ae787b7698b

SHA512
288f4158d199f182885a6fe98534052a03d29adeb43627b85cfe1bfc06d25f786795566fc7b296f885640426f486320ae86b94fc1d96d0bb34b3b75f9385615e

Download Submit
C:\Users\Admin\Downloads\134401743670351.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 698143.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
54b1227ef0f0038aeddcf80259d976cd

SHA1
6f3f32ede13165f08bf081f0f6e2e56875698038

SHA256
49993f26298a7f24969bdba8de2d473a475a63094e7d5e1b6d610a4335f8612f

SHA512
250e91f64281fbffac853b7ba35a365f39ce4b680e78a374f2bb571e34a775cd36a010fc9eb641e92bb3b2ba3b32a054b0f434dce5b3d6b350abfea67c2b496a

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1820-2417-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1820-2418-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1820-2419-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1820-2420-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1820-2421-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1820-872-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2320-2248-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2320-2229-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2354-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2328-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2219-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2218-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2251-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2333-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2365-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2331-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2384-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2335-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2394-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2396-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2397-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2269-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2222-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2309-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2220-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5200-2285-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5960-2422-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads