This detection rule is designed to identify suspicious modifications to the Windows registry where the names of the registry keys match the characteristics of MD5 hash values. Specifically, it monitors Sysmon EventID 12 and EventID 13, focusing on registry entries located in the SOFTWARE path that consist of 32 hexadecimal characters. This method is particularly relevant as it aligns with the operational tactics employed by the NjRAT malware, which is known to use such naming conventions to facilitate fileless persistence and data exfiltration. The presence of registry keys with MD5-like names can indicate a potentially severe security breach given NjRAT's capabilities for stealing sensitive data and maintaining attacker footholds within a system. Thus, monitoring these registry modifications is crucial for proactive incident response and threat intelligence.