Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NJRAT DANGEROUS.exe

Overview

General Information

Sample name:NJRAT DANGEROUS.exe
Analysis ID:1575695
MD5:401b1ea00d135d5060f237c2f5a8a6c4
SHA1:6955a95c3b4f5de689b352e3d7e0badd821d624b
SHA256:9b8cbcf33039dc4ee3a8649fab25ed587e7c75958473f4eb814d5c13d90f8ffa
Tags:exeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • NJRAT DANGEROUS.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\NJRAT DANGEROUS.exe" MD5: 401B1EA00D135D5060F237C2F5A8A6C4)
    • powershell.exe (PID: 748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2860 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT DANGEROUS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5340 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 1164 cmdline: C:\Windows\system32\WerFault.exe -u -p 2520 -s 2572 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • NJRAT DANGEROUS.exe (PID: 5476 cmdline: "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe" MD5: 401B1EA00D135D5060F237C2F5A8A6C4)
  • NJRAT DANGEROUS.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe" MD5: 401B1EA00D135D5060F237C2F5A8A6C4)
  • NJRAT DANGEROUS.exe (PID: 4912 cmdline: "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe" MD5: 401B1EA00D135D5060F237C2F5A8A6C4)
  • NJRAT DANGEROUS.exe (PID: 1772 cmdline: "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe" MD5: 401B1EA00D135D5060F237C2F5A8A6C4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["soon-lp.at.ply.gg"], "Port": 17209, "Aes key": "adlan1122", "SPL": "<Xwormmm>", "Install file": "NjRat Dangerous.exe", "Version": "XWorm V3.0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NJRAT DANGEROUS.exeJoeSecurity_XWormYara detected XWormJoe Security
    NJRAT DANGEROUS.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      NJRAT DANGEROUS.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd4e6:$s6: VirtualBox
      • 0xd444:$s8: Win32_ComputerSystem
      • 0xf824:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf8c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf9d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf0ca:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd4e6:$s6: VirtualBox
          • 0xd444:$s8: Win32_ComputerSystem
          • 0xf824:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xf8c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xf9d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf0ca:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd2e6:$s6: VirtualBox
            • 0xd244:$s8: Win32_ComputerSystem
            • 0xf624:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xf6c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xf7d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xeeca:$cnc4: POST / HTTP/1.1
            00000000.00000002.3316762104.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: NJRAT DANGEROUS.exe PID: 2520JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.NJRAT DANGEROUS.exe.a40000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.NJRAT DANGEROUS.exe.a40000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.NJRAT DANGEROUS.exe.a40000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xd4e6:$s6: VirtualBox
                    • 0xd444:$s8: Win32_ComputerSystem
                    • 0xf824:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xf8c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xf9d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf0ca:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NJRAT DANGEROUS.exe", ParentImage: C:\Users\user\Desktop\NJRAT DANGEROUS.exe, ParentProcessId: 2520, ParentProcessName: NJRAT DANGEROUS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', ProcessId: 748, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NJRAT DANGEROUS.exe", ParentImage: C:\Users\user\Desktop\NJRAT DANGEROUS.exe, ParentProcessId: 2520, ParentProcessName: NJRAT DANGEROUS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', ProcessId: 748, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NJRAT DANGEROUS.exe", ParentImage: C:\Users\user\Desktop\NJRAT DANGEROUS.exe, ParentProcessId: 2520, ParentProcessName: NJRAT DANGEROUS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', ProcessId: 748, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\NJRAT DANGEROUS.exe, ProcessId: 2520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT DANGEROUS.lnk
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\NJRAT DANGEROUS.exe", ParentImage: C:\Users\user\Desktop\NJRAT DANGEROUS.exe, ParentProcessId: 2520, ParentProcessName: NJRAT DANGEROUS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe", ProcessId: 5340, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NJRAT DANGEROUS.exe", ParentImage: C:\Users\user\Desktop\NJRAT DANGEROUS.exe, ParentProcessId: 2520, ParentProcessName: NJRAT DANGEROUS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe', ProcessId: 748, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T08:39:03.308463+010028536181Malware Command and Control Activity Detected192.168.2.549781147.185.221.18117209TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: NJRAT DANGEROUS.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: soon-lp.at.ply.ggAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                    Found malware configuration
                    Source: NJRAT DANGEROUS.exeMalware Configuration Extractor: Xworm {"C2 url": ["soon-lp.at.ply.gg"], "Port": 17209, "Aes key": "adlan1122", "SPL": "<Xwormmm>", "Install file": "NjRat Dangerous.exe", "Version": "XWorm V3.0"}
                    Multi AV Scanner detection for domain / URL
                    Source: soon-lp.at.ply.ggVirustotal: Detection: 5%Perma Link
                    Source: soon-lp.at.ply.ggVirustotal: Detection: 5%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeReversingLabs: Detection: 81%
                    Multi AV Scanner detection for submitted file
                    Source: NJRAT DANGEROUS.exeVirustotal: Detection: 64%Perma Link
                    Source: NJRAT DANGEROUS.exeReversingLabs: Detection: 81%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: NJRAT DANGEROUS.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: NJRAT DANGEROUS.exeString decryptor: soon-lp.at.ply.gg
                    Source: NJRAT DANGEROUS.exeString decryptor: 17209
                    Source: NJRAT DANGEROUS.exeString decryptor: adlan1122
                    Source: NJRAT DANGEROUS.exeString decryptor: <Xwormmm>
                    Source: NJRAT DANGEROUS.exeString decryptor: NjRat Dangerous.exe
                    Source: NJRAT DANGEROUS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: NJRAT DANGEROUS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mscorlib.pdbSYSTEM source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.pdb03y source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0O source: NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: .pdb6 source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdbp source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbv source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbper) source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: 0C:\Windows\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Core.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb* source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp, NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC8000.00000004.00000020.00020000.00000000.sdmp, WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Xml.pdbSystem.Management.ni.dll source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Management.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Management.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Core.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: indoC:\Windows\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb> source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2853618 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49781 -> 147.185.221.181:17209
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: soon-lp.at.ply.gg
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 147.185.221.181 ports 0,1,2,7,9,17209
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: NJRAT DANGEROUS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.NJRAT DANGEROUS.exe.a40000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.5:49781 -> 147.185.221.181:17209
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: soon-lp.at.ply.gg
                    Source: NJRAT DANGEROUS.exe, NJRAT DANGEROUS.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.2217285886.00000232412B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2309591959.000002822E591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2222361705.00000232495B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                    Source: powershell.exe, 00000002.00000002.2192898603.0000023231469000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: NJRAT DANGEROUS.exe, 00000000.00000002.3316762104.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192898603.0000023231241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2192898603.0000023231469000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000006.00000002.2323742781.0000028236B50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                    Source: powershell.exe, 00000002.00000002.2222361705.00000232495B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000002.00000002.2192898603.0000023231241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.2192793183.000002323111C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.m
                    Source: powershell.exe, 00000002.00000002.2217285886.00000232412B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2309591959.000002822E591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: NJRAT DANGEROUS.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.NJRAT DANGEROUS.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E772820_2_00007FF848E77282
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E792390_2_00007FF848E79239
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E716090_2_00007FF848E71609
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E760C60_2_00007FF848E760C6
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E720C90_2_00007FF848E720C9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F330E92_2_00007FF848F330E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F430E96_2_00007FF848F430E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F230E98_2_00007FF848F230E9
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 13_2_00007FF848E70DEE13_2_00007FF848E70DEE
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 13_2_00007FF848E7160913_2_00007FF848E71609
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 13_2_00007FF848E720C913_2_00007FF848E720C9
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 14_2_00007FF848E70DEE14_2_00007FF848E70DEE
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 14_2_00007FF848E7160914_2_00007FF848E71609
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 14_2_00007FF848E720C914_2_00007FF848E720C9
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 15_2_00007FF848E60DEE15_2_00007FF848E60DEE
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 15_2_00007FF848E6160915_2_00007FF848E61609
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 15_2_00007FF848E620C915_2_00007FF848E620C9
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 16_2_00007FF848E90DEE16_2_00007FF848E90DEE
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 16_2_00007FF848E9160916_2_00007FF848E91609
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 16_2_00007FF848E920C916_2_00007FF848E920C9
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2520 -s 2572
                    Source: NJRAT DANGEROUS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: NJRAT DANGEROUS.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.NJRAT DANGEROUS.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: NJRAT DANGEROUS.exe, XIISYPtSayyijO4BjqyURZBpYZpckRlA7cyAZyrZ4cCawECzppnTpdWXcewMBtGuX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: NJRAT DANGEROUS.exe, kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.csCryptographic APIs: 'TransformFinalBlock'
                    Source: NJRAT DANGEROUS.exe, kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.csCryptographic APIs: 'TransformFinalBlock'
                    Source: NJRAT DANGEROUS.exe.0.dr, XIISYPtSayyijO4BjqyURZBpYZpckRlA7cyAZyrZ4cCawECzppnTpdWXcewMBtGuX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: NJRAT DANGEROUS.exe.0.dr, kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.csCryptographic APIs: 'TransformFinalBlock'
                    Source: NJRAT DANGEROUS.exe.0.dr, kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.csCryptographic APIs: 'TransformFinalBlock'
                    Source: NJRAT DANGEROUS.exe, OdTjMbvKwmh2aiheK8U7gl9DxqCdN4Z5SIDGBevv5nlNVSZrEq7IA2o1DdJaFDviAh3pLKAHpU4jV8p16vUbFKKlmg.csBase64 encoded string: 'O2DZ3Jx9izLJ6GvSUE89Tpzftf2lB36WvTzHE7MzHimLK7OOncl62wVM7fbUxEP3fJWFnRt5ZTdrtEgexpSPxooDBnpp'
                    Source: NJRAT DANGEROUS.exe, XOBTV4xzrjIi7ydC4irRLj2m8yvVfEd9wOAS0QebbgneG7yawFJtgOsknzkuOUmh8KjvNbCZIZRO1q6WyiArWzAcDu.csBase64 encoded string: 'SnZBlvkNq55LMqgrlKkwx2DPNIWoDCFytK0bhqZZdcbvKnjltFY5qcuP7KCOh97VFDi5X8zP2QxKWGyT2oX3ARfCMtmX', 'ttw6ISjGkMUj3jifngRHH7X8Rgm1jS8XMDytgevzbf8I3Yq8sCTlPoBOpSIXU0TbTxXISnUkgKYFcHwSw3PucN44Srpm', 'xfztfedNIjeuLl441ScfMepWpt6JYevmtSvgYP5IXu0tGAYVJTQfXZbvDWievJDXq89z6TbhcbwQxjKuYsDYKXVtGaEA'
                    Source: NJRAT DANGEROUS.exe, gdzvroPSWlwimSxWtBgPbsIFQABTC4x2x.csBase64 encoded string: 'hMp9qRZJD011qsIlEkLpmvoJgWwUUv634s7LHEy886Co63ZNH81j1fCWwnf6Q2CZ8cCiKB3z0WJ5UFbguYyhoc4Twluk', 'myf1TD6bmVkmbtSDG07RupGSsLwENkiAVhJ4U9K5bSs0dqz8lGdAcH0yOsCxAOe2JRNlc2y6lKizk97rZRR84wSNaePM', 'yyCnvTcd16sLZFmDPTw8o6yNebLsnHz5kOVbwe7IBuFU7ncteH0rjauiv4hFPcCathQmSU0RiRXaBLufjflJncnzQGD7', 'Ug6lUA74VAuRlEQazWNfhwtH5JpgC3GuM44NO2l5qz0TWkfmlqtKi6IUR0UkWnzrJDdchXznLaHQyCFFryo7M1p3Xebp', 'Y0JO1FVNTHGJD7BTQJJmbaXvno66cuW11KoWLTrCt0O5g8znqNJRhvacUlUT8pMcVx5JNZPQavAqd5HDQZefPPICtpv8'
                    Source: NJRAT DANGEROUS.exe.0.dr, OdTjMbvKwmh2aiheK8U7gl9DxqCdN4Z5SIDGBevv5nlNVSZrEq7IA2o1DdJaFDviAh3pLKAHpU4jV8p16vUbFKKlmg.csBase64 encoded string: 'O2DZ3Jx9izLJ6GvSUE89Tpzftf2lB36WvTzHE7MzHimLK7OOncl62wVM7fbUxEP3fJWFnRt5ZTdrtEgexpSPxooDBnpp'
                    Source: NJRAT DANGEROUS.exe.0.dr, XOBTV4xzrjIi7ydC4irRLj2m8yvVfEd9wOAS0QebbgneG7yawFJtgOsknzkuOUmh8KjvNbCZIZRO1q6WyiArWzAcDu.csBase64 encoded string: 'SnZBlvkNq55LMqgrlKkwx2DPNIWoDCFytK0bhqZZdcbvKnjltFY5qcuP7KCOh97VFDi5X8zP2QxKWGyT2oX3ARfCMtmX', 'ttw6ISjGkMUj3jifngRHH7X8Rgm1jS8XMDytgevzbf8I3Yq8sCTlPoBOpSIXU0TbTxXISnUkgKYFcHwSw3PucN44Srpm', 'xfztfedNIjeuLl441ScfMepWpt6JYevmtSvgYP5IXu0tGAYVJTQfXZbvDWievJDXq89z6TbhcbwQxjKuYsDYKXVtGaEA'
                    Source: NJRAT DANGEROUS.exe.0.dr, gdzvroPSWlwimSxWtBgPbsIFQABTC4x2x.csBase64 encoded string: 'hMp9qRZJD011qsIlEkLpmvoJgWwUUv634s7LHEy886Co63ZNH81j1fCWwnf6Q2CZ8cCiKB3z0WJ5UFbguYyhoc4Twluk', 'myf1TD6bmVkmbtSDG07RupGSsLwENkiAVhJ4U9K5bSs0dqz8lGdAcH0yOsCxAOe2JRNlc2y6lKizk97rZRR84wSNaePM', 'yyCnvTcd16sLZFmDPTw8o6yNebLsnHz5kOVbwe7IBuFU7ncteH0rjauiv4hFPcCathQmSU0RiRXaBLufjflJncnzQGD7', 'Ug6lUA74VAuRlEQazWNfhwtH5JpgC3GuM44NO2l5qz0TWkfmlqtKi6IUR0UkWnzrJDdchXznLaHQyCFFryo7M1p3Xebp', 'Y0JO1FVNTHGJD7BTQJJmbaXvno66cuW11KoWLTrCt0O5g8znqNJRhvacUlUT8pMcVx5JNZPQavAqd5HDQZefPPICtpv8'
                    Source: NJRAT DANGEROUS.exe.0.dr, p42u2CdTpFEJwWFLtRvVzAuqTcRvqzmbx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: NJRAT DANGEROUS.exe.0.dr, p42u2CdTpFEJwWFLtRvVzAuqTcRvqzmbx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: NJRAT DANGEROUS.exe, p42u2CdTpFEJwWFLtRvVzAuqTcRvqzmbx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: NJRAT DANGEROUS.exe, p42u2CdTpFEJwWFLtRvVzAuqTcRvqzmbx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@18/19@2/2
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile created: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeMutant created: \Sessions\1\BaseNamedObjects\K1yAbXf0sNHUj3H8
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2520
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv13ivgr.bfr.ps1Jump to behavior
                    Source: NJRAT DANGEROUS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: NJRAT DANGEROUS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: NJRAT DANGEROUS.exeVirustotal: Detection: 64%
                    Source: NJRAT DANGEROUS.exeReversingLabs: Detection: 81%
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile read: C:\Users\user\Desktop\NJRAT DANGEROUS.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\NJRAT DANGEROUS.exe "C:\Users\user\Desktop\NJRAT DANGEROUS.exe"
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT DANGEROUS.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2520 -s 2572
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: NJRAT DANGEROUS.lnk.0.drLNK file: ..\..\..\..\..\NJRAT DANGEROUS.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: NJRAT DANGEROUS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: NJRAT DANGEROUS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mscorlib.pdbSYSTEM source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.pdb03y source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0O source: NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: .pdb6 source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdbp source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbv source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbper) source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: 0C:\Windows\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Core.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb* source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp, NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC8000.00000004.00000020.00020000.00000000.sdmp, WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Xml.pdbSystem.Management.ni.dll source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Management.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Management.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Core.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: indoC:\Windows\mscorlib.pdb source: NJRAT DANGEROUS.exe, 00000000.00000002.3347760461.000000001C4F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERA10C.tmp.dmp.19.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb> source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.sCGYw0d5FvYImHBJILpFjUF6QHn0QOcBo,_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.gnhZAaeXrGQXSPNVQNc9Z2ncjlk97UANQ,_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.YsCF3Z47gqcq1tZl4eZcHRX3zc4VG5moK,_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.bgTuiTcZ69W9GQvuWFfW20vglrQDpFiVJ,kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.sy0G31IbGorGA3hMMb5XfoqgjPInsbJi35KtSWqXbhk80i90S4632ZMVcbWm5j4tc()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{h15MA8sEIlvNEgQIwwfsOeebFVHnejViSmGuDkUQfeR50qGQBdx96m56Th6ImB5L2[2],kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We._2lZNCaBbRmeUsODOJE9q5mMlbIlssXQWSobxpcAffEsXeEsZaY0CUgv4ACLuQZfsd(kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.RDNBo1SIuqar9uonqOwKyf0MXrByib87wKIHgve6WqgelhRCcgIRbjFcIlTzzFsnJ(h15MA8sEIlvNEgQIwwfsOeebFVHnejViSmGuDkUQfeR50qGQBdx96m56Th6ImB5L2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { h15MA8sEIlvNEgQIwwfsOeebFVHnejViSmGuDkUQfeR50qGQBdx96m56Th6ImB5L2[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.sCGYw0d5FvYImHBJILpFjUF6QHn0QOcBo,_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.gnhZAaeXrGQXSPNVQNc9Z2ncjlk97UANQ,_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.YsCF3Z47gqcq1tZl4eZcHRX3zc4VG5moK,_9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.bgTuiTcZ69W9GQvuWFfW20vglrQDpFiVJ,kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.sy0G31IbGorGA3hMMb5XfoqgjPInsbJi35KtSWqXbhk80i90S4632ZMVcbWm5j4tc()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{h15MA8sEIlvNEgQIwwfsOeebFVHnejViSmGuDkUQfeR50qGQBdx96m56Th6ImB5L2[2],kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We._2lZNCaBbRmeUsODOJE9q5mMlbIlssXQWSobxpcAffEsXeEsZaY0CUgv4ACLuQZfsd(kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.RDNBo1SIuqar9uonqOwKyf0MXrByib87wKIHgve6WqgelhRCcgIRbjFcIlTzzFsnJ(h15MA8sEIlvNEgQIwwfsOeebFVHnejViSmGuDkUQfeR50qGQBdx96m56Th6ImB5L2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { h15MA8sEIlvNEgQIwwfsOeebFVHnejViSmGuDkUQfeR50qGQBdx96m56Th6ImB5L2[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: yq31zUPEOpnaMk4V1cy1jve2jJmLmn0wK System.AppDomain.Load(byte[])
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: _2C9b2KbY2Tg0TWRZpnPGgXmPOfL78kNJLkS84PvHtqKcgQSrHArxHv2j995AAalKv System.AppDomain.Load(byte[])
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: _2C9b2KbY2Tg0TWRZpnPGgXmPOfL78kNJLkS84PvHtqKcgQSrHArxHv2j995AAalKv
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: yq31zUPEOpnaMk4V1cy1jve2jJmLmn0wK System.AppDomain.Load(byte[])
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: _2C9b2KbY2Tg0TWRZpnPGgXmPOfL78kNJLkS84PvHtqKcgQSrHArxHv2j995AAalKv System.AppDomain.Load(byte[])
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.cs.Net Code: _2C9b2KbY2Tg0TWRZpnPGgXmPOfL78kNJLkS84PvHtqKcgQSrHArxHv2j995AAalKv
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E700BD pushad ; iretd 0_2_00007FF848E700C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D4D2A5 pushad ; iretd 2_2_00007FF848D4D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E600BD pushad ; iretd 2_2_00007FF848E600C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F30835 pushfd ; retf 2_2_00007FF848F30837
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F32316 push 8B485F94h; iretd 2_2_00007FF848F3231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F32185 pushfd ; retf 2_2_00007FF848F32187
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848D5D2A5 pushad ; iretd 6_2_00007FF848D5D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848E78AAD push ebx; retn 0009h6_2_00007FF848E78AAA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848E78A45 push ebx; retn 0009h6_2_00007FF848E78AAA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848E700BD pushad ; iretd 6_2_00007FF848E700C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F40835 pushfd ; retf 6_2_00007FF848F40837
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F42316 push 8B485F93h; iretd 6_2_00007FF848F4231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F42185 pushfd ; retf 6_2_00007FF848F42187
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848D3D2A5 pushad ; iretd 8_2_00007FF848D3D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F20835 pushfd ; retf 8_2_00007FF848F20837
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F22316 push 8B485F95h; iretd 8_2_00007FF848F2231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F22185 pushfd ; retf 8_2_00007FF848F22187
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 13_2_00007FF848E700BD pushad ; iretd 13_2_00007FF848E700C1
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 14_2_00007FF848E700BD pushad ; iretd 14_2_00007FF848E700C1
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeCode function: 15_2_00007FF848E600BD pushad ; iretd 15_2_00007FF848E600C1
                    Source: NJRAT DANGEROUS.exe, 9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.csHigh entropy of concatenated method names: 'txsmZIDYWOv5ZgpOgbiq7xvIYgcFbFeeyhJQpF9u5jvPmHnnWL3cp7O3Lf11mVA54cVnx6wguOEUxnQ7v40CinhHYnFg', 'yPesSP0sUGCgFNbWPJ1pjTwusfkDgoTnt3v2nUEMzSUCrll9pxVP5fsPkpR1t8dVBQ784RdpiXZFZbseiUclac87vo13', '_4hFcBUxwKTdDx3u1UD8pS8xkghefPfbnuLO5osk5mlAJF8yTgrgBVXfyMKNvXtYyGWMCbRJbi7kYUgK0wTzuKVDMyRR5', '_1apeF5qHzj8vW4h2nxDvy5EaEtiLRqDrZeKxHzTLp6U2G3VD8RjhcvLFzR5clTh7w0uvN1mXpEoT2H2VqXJCx38HpXae'
                    Source: NJRAT DANGEROUS.exe, qHSayriWtT3OXN77LC9qsEVzK7k6CILViWmdDGzzdLFX7cUvRX.csHigh entropy of concatenated method names: 'Z7DbLcEAJX0J6LXPdGG6IuDgBIxC2PUa0qEQk8FW2zMmxRRWDB', 'XMnFZyzLgHRjWroz91RrteaV72PwRupdPvvXzjv6peqjxolHhR', 'bYJKrP1k1SKP41DOXwESscCPMnRwMBsnQbyz9pqIbXk0pqUiFQ', '_8W5N8fmECS9Oy1OmUncv', '_7riJRrV98vqH7X5ZNWN2', 'AAWXhxPsfJmtQrwBNY2Z', 'sN4QDaGoeSe64aSkHAHZ', 'gb8Y9kwLCHtRfZsfQIIN', 'x6IrrIBuCuzp06yEB0pf', 'i0IxpGKfCwI946BRRemL'
                    Source: NJRAT DANGEROUS.exe, XOBTV4xzrjIi7ydC4irRLj2m8yvVfEd9wOAS0QebbgneG7yawFJtgOsknzkuOUmh8KjvNbCZIZRO1q6WyiArWzAcDu.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eETC1ztypZqcZj6UmGL2mUi3YkFIPv3QiNy0vvhVTLMrKrRMgWrzdeePLgYudndC969Dk4hjeJ5R61IQNYshFkT1A8Sj', 'fhZSGNfawqcOTB7HPq2kohDpC5Ot11IgcqjEq2JSNkVHuZ0atvrFm5oux7PW9DlezkR7V1m2f8RE2JaxcMYBvKDsDigY', '_4gLirK7bBm6Cr34YlEusAZBfWH0CUBshd44ro73c3JlCc81Nr7Is3lzTZPH81oBenGc4TWM7ce9Wi7DgUwqjdCSSs3zR', 'S3JPpNz2fqKG6y4zpwaOAIVv2Hh237bfG4lzZZmL9vEqrjGLcwt16QxXNBJrfrwAs2GHhIX0a4VZGgoxGwY3wdSO9NKD'
                    Source: NJRAT DANGEROUS.exe, W1ECQFPlvJC03oUAAQoBl7CLAYVqZ4mg3bZbjnbANJzDMTjPE8ZJuGXHBbmCHYy7c.csHigh entropy of concatenated method names: 'shM2vbZx3BxV5S2heYmbBhG4YYP7tusrhWDNQcsJ8plg3uDAXCrajrhMxZphGPV5F', 'AUdFUYzhuyWj9l2JfGOq', 'J1Tr4oY4YJeejPv1Zqyg', 'dBM4F61dwehM6KZIgjPO', 'RPBnhanWzYkr2lBGTqZh'
                    Source: NJRAT DANGEROUS.exe, XIISYPtSayyijO4BjqyURZBpYZpckRlA7cyAZyrZ4cCawECzppnTpdWXcewMBtGuX.csHigh entropy of concatenated method names: 'pDklJFGAM3beyPqLYohI3Y7P7Zg07BvOrLzezWFx0GO4hjCfGirqQpmjbngSh9M66', 'z8qJutwML4lTFJmpSXV1wkpHIArRmuRjM2ekaFYVhOnQgtzfSc78fwWhWpFaRjDP9', 'yfEJ0xAVGu1IHfvnd4XEKNxWvZwKsE30MVS2evcfUoPPgEqhaQK1k4CwBryAwOOMN', 'dMTq1qiXlJbO1owwtMx0', 'FIOJA8HAOAXIOsklxAZr', 'QJ8ZUNH9OnoaHeCsuZRS', 'CeGwGxt5fnJCTZz082yw', '_7yiU9yopXNlfZSbGBdbK', '_6NW09JVIZQuU5fASbyAz', 'IVw4vdLPsB3O9DvMix4y'
                    Source: NJRAT DANGEROUS.exe, p42u2CdTpFEJwWFLtRvVzAuqTcRvqzmbx.csHigh entropy of concatenated method names: 'tnde14zvnCWW3IBtRf4EBKh3ut1CDKXac', 'YoKilti6hqosarzEx5OpyDpwK1YMnNdAq', 'aV9Bz4kHfYwVFKSJQLzZj1y5789im9JDM', 'A2tosO2zwIkXyseSWE3O2x0iQTdMwWgRz', 'tiuoZtXB9aMy3QEkviytNAiOAqxWLc2EE', 'wz0bfGQTodYo6mrTbobqB4bdv8GtZCJUl', 'nlnHlwMORZK67NWFZQugKwsMevSaKMp3b', 'pSoBQZEygvhqQPFuJeCTiz3fgDdnw0vi5', 'MYRUiKSDS6N1cblejrJXCi9XeZWwf0Dyn', 'IoaadOnBX2SxoXUCuu53CtOgTTSdA9KfF'
                    Source: NJRAT DANGEROUS.exe, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.csHigh entropy of concatenated method names: '_2NfpL3et8bk8Kalh1cLEJG9Dce7EDTlOO', 'yq31zUPEOpnaMk4V1cy1jve2jJmLmn0wK', 'kMpLmw3Pj6imPAqxRMrslgcFXMndclvhK', 'pUJNCTHPY47aMxUkqalyR73zu6woLbMN6', 'XPK5jVJtDtgapGi8Fn48IbatiRz8AV36e', 'woFKLqsfw7Uol62Mym1wj3H6OWJFCvP98', 'YaVe3YSltCyMvknItGer9bqDiBmfQFt0C', 'XKph5IJpfxyu8BG5JQhBFFvwRt5lUC8g9', 'C4wExEzOS9YwQOg4RhsGPX9fwWorBgrmn', 'ziM3e4LA1gQTPQbdruQsbmA7gyRcmPCPfHGdZXOWb30loukeB5piQpK09I5rY9kD6'
                    Source: NJRAT DANGEROUS.exe, ZYLil0zEDX9C8l7Y0hjQ4rs584oXrBhIZHP1PUbL2ajhAEu0U3TFkZd6tpZA2Cmas.csHigh entropy of concatenated method names: 'fFzdEDdxvZzQ2jrhGqh4p6Paf55aBm5dMYzKJZaR1wS0aFNAiDwMqrOfPlv3oPKeJ', 'REbAaj0s6ifNnLw10fR8slKSL8bukgYExImWM4ciEvuWMNYu45D5qcJStHu1FEkHp', 'n4LQxGUVG8OH56R1KHlRIPJPt8dNcVg9AqPAojyFJJF9SCZvQX0X4CoasBHQDuse7', 'IM85zPbegoWHte7YGhCCooHRXKkHudpICLUw3XjnUmLRGAYQ2jQCAelA0Ao6mtC6V', 'zpTiYPzrFbwoXL4ZAoCl', 'ah6QoxgUww2qW3hnTQFs', 'LPz30evXuT5cgOTiOPOv', '_8FUN7oyqbGsXmRPi2HYG', 'HjwVClMSZdao9NcAucP9', 'Begs91si3qZ0N3e0r91w'
                    Source: NJRAT DANGEROUS.exe, vOS5UwX9hsXn72tHoEXrMZZ69cuA86uvLly5tuvo6aEHAVmaww8baJCmHybTelx3B.csHigh entropy of concatenated method names: 'eW2RBzBbtn9LSbwL7qzdqjq0GvxDmOLOLNDxDkgN418iwipphgJBoOnr0BGz81Inf', 'GSQbs85KqyP7L6eaYviGUm1XnKTuex8yuxp6SZkpOJUUJss9ThoHVWTP6AmlmRi9K', 'XUouXOiY0No6qlvcDFimpDoeBqMGssWvFLeaDnOqiv166jyjmnGKzpGQnbJpMGdVO', 'Oez0yjfZm6k3aNkzrAUJ', 'bTTA8uRZyBckhB3gsqnI', 'zXsXWznHCKDrAbAY3wzx', 'DerdoCd5aMBglQRIzXd8', 'qrcmkXDDhmOybPhPlqJc', 'jxtfy1BZtlWXmXGxMyHz', '_03W3fM6Sq5zNR4NXzjm1'
                    Source: NJRAT DANGEROUS.exe, kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.csHigh entropy of concatenated method names: 'IEiS33vdNiPQNwaQQNMeSFXEvNCwA57qudQdnsdPIHAuHPpDsElkKUTuHIRGPkLty', 'Djy0XSwRQhKNokm9R0Glr5Z0EjCapTIpxLe1umzO1OKdJpCfH0ER048J3iHNgy18y', '_23X3oYX0Eo8iXGmtC8hFqwsCBFRbrZxFdYSIF278OVNFqyQOMkHhu29hEaUOo7OGC', 'hElNTs2qMhE00ykL7q0mTmp82U7lo2Fj7cV46I7Ex66IklTgGGGketyO4XVM3oQZ5', 'FHOwMrSLm7ptkV8AWCYcaldlByklxc98RIQtD3oELkEeAPDYRmqYRtOliQjJX5MKU', 'RDRXW1lYjn1BFX2mOCsOnqvVnflTyafrgDktoAMc8ap7DqyIIYSNaYwh7JGtiH1c0', '_3hDwHIHv8C7a5afDDMvGFxuUC6MVN53DaUwpa8R16OsRPQi2oBMxHWA4fcHyoBAPI', 'dlTnE1j3RxqmjOXfU5KFvj3ORR5yyhNCc2CuyEtEtcK7ZbeCfaVFneZCEQC9AiDba', 'P8sVCtD7Re9JwMs9GcPV3v8EHKxZWZ3KjnZnSbmZrz75BL4btamO5ERtknOxQlxbC', 'RDNBo1SIuqar9uonqOwKyf0MXrByib87wKIHgve6WqgelhRCcgIRbjFcIlTzzFsnJ'
                    Source: NJRAT DANGEROUS.exe, gdzvroPSWlwimSxWtBgPbsIFQABTC4x2x.csHigh entropy of concatenated method names: 'DnH6GZKwJRZH9WsvDMGG59jU4R1nITH8A', '_2RfgbutdcMHCAMadgU9BiRyZ0BnRayTNK', 'S59iMdMzDh5KR9J6U08Kr1aooF4KDnvpb', 'Szcd3e7mfU4kSiYM6KtpPPij3nGATaobF', 'McNjEbVpz4w5X3QGboOvxWpF3qJ1DpxFD', '_8vKuJtgdlbaWa236lsGI2Rxs8VxF9E86m', 'PMxJobmJo5uw2vX0X3GmnMcxSf31I9fdg', 'Iu8UYQCRCOxrOz35rHqCZhqZ0g3hQEm5J', '_9P5K2QhKocA1pLWzbghDz9usAMib6xAfT', 'LKu5E9fyLPJkeaHrvKSGOMBWM8IJGMHhe'
                    Source: NJRAT DANGEROUS.exe.0.dr, 9V4uPvuQxjeUmiWv5fYGWdKhugMlve22y.csHigh entropy of concatenated method names: 'txsmZIDYWOv5ZgpOgbiq7xvIYgcFbFeeyhJQpF9u5jvPmHnnWL3cp7O3Lf11mVA54cVnx6wguOEUxnQ7v40CinhHYnFg', 'yPesSP0sUGCgFNbWPJ1pjTwusfkDgoTnt3v2nUEMzSUCrll9pxVP5fsPkpR1t8dVBQ784RdpiXZFZbseiUclac87vo13', '_4hFcBUxwKTdDx3u1UD8pS8xkghefPfbnuLO5osk5mlAJF8yTgrgBVXfyMKNvXtYyGWMCbRJbi7kYUgK0wTzuKVDMyRR5', '_1apeF5qHzj8vW4h2nxDvy5EaEtiLRqDrZeKxHzTLp6U2G3VD8RjhcvLFzR5clTh7w0uvN1mXpEoT2H2VqXJCx38HpXae'
                    Source: NJRAT DANGEROUS.exe.0.dr, qHSayriWtT3OXN77LC9qsEVzK7k6CILViWmdDGzzdLFX7cUvRX.csHigh entropy of concatenated method names: 'Z7DbLcEAJX0J6LXPdGG6IuDgBIxC2PUa0qEQk8FW2zMmxRRWDB', 'XMnFZyzLgHRjWroz91RrteaV72PwRupdPvvXzjv6peqjxolHhR', 'bYJKrP1k1SKP41DOXwESscCPMnRwMBsnQbyz9pqIbXk0pqUiFQ', '_8W5N8fmECS9Oy1OmUncv', '_7riJRrV98vqH7X5ZNWN2', 'AAWXhxPsfJmtQrwBNY2Z', 'sN4QDaGoeSe64aSkHAHZ', 'gb8Y9kwLCHtRfZsfQIIN', 'x6IrrIBuCuzp06yEB0pf', 'i0IxpGKfCwI946BRRemL'
                    Source: NJRAT DANGEROUS.exe.0.dr, XOBTV4xzrjIi7ydC4irRLj2m8yvVfEd9wOAS0QebbgneG7yawFJtgOsknzkuOUmh8KjvNbCZIZRO1q6WyiArWzAcDu.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'eETC1ztypZqcZj6UmGL2mUi3YkFIPv3QiNy0vvhVTLMrKrRMgWrzdeePLgYudndC969Dk4hjeJ5R61IQNYshFkT1A8Sj', 'fhZSGNfawqcOTB7HPq2kohDpC5Ot11IgcqjEq2JSNkVHuZ0atvrFm5oux7PW9DlezkR7V1m2f8RE2JaxcMYBvKDsDigY', '_4gLirK7bBm6Cr34YlEusAZBfWH0CUBshd44ro73c3JlCc81Nr7Is3lzTZPH81oBenGc4TWM7ce9Wi7DgUwqjdCSSs3zR', 'S3JPpNz2fqKG6y4zpwaOAIVv2Hh237bfG4lzZZmL9vEqrjGLcwt16QxXNBJrfrwAs2GHhIX0a4VZGgoxGwY3wdSO9NKD'
                    Source: NJRAT DANGEROUS.exe.0.dr, W1ECQFPlvJC03oUAAQoBl7CLAYVqZ4mg3bZbjnbANJzDMTjPE8ZJuGXHBbmCHYy7c.csHigh entropy of concatenated method names: 'shM2vbZx3BxV5S2heYmbBhG4YYP7tusrhWDNQcsJ8plg3uDAXCrajrhMxZphGPV5F', 'AUdFUYzhuyWj9l2JfGOq', 'J1Tr4oY4YJeejPv1Zqyg', 'dBM4F61dwehM6KZIgjPO', 'RPBnhanWzYkr2lBGTqZh'
                    Source: NJRAT DANGEROUS.exe.0.dr, XIISYPtSayyijO4BjqyURZBpYZpckRlA7cyAZyrZ4cCawECzppnTpdWXcewMBtGuX.csHigh entropy of concatenated method names: 'pDklJFGAM3beyPqLYohI3Y7P7Zg07BvOrLzezWFx0GO4hjCfGirqQpmjbngSh9M66', 'z8qJutwML4lTFJmpSXV1wkpHIArRmuRjM2ekaFYVhOnQgtzfSc78fwWhWpFaRjDP9', 'yfEJ0xAVGu1IHfvnd4XEKNxWvZwKsE30MVS2evcfUoPPgEqhaQK1k4CwBryAwOOMN', 'dMTq1qiXlJbO1owwtMx0', 'FIOJA8HAOAXIOsklxAZr', 'QJ8ZUNH9OnoaHeCsuZRS', 'CeGwGxt5fnJCTZz082yw', '_7yiU9yopXNlfZSbGBdbK', '_6NW09JVIZQuU5fASbyAz', 'IVw4vdLPsB3O9DvMix4y'
                    Source: NJRAT DANGEROUS.exe.0.dr, p42u2CdTpFEJwWFLtRvVzAuqTcRvqzmbx.csHigh entropy of concatenated method names: 'tnde14zvnCWW3IBtRf4EBKh3ut1CDKXac', 'YoKilti6hqosarzEx5OpyDpwK1YMnNdAq', 'aV9Bz4kHfYwVFKSJQLzZj1y5789im9JDM', 'A2tosO2zwIkXyseSWE3O2x0iQTdMwWgRz', 'tiuoZtXB9aMy3QEkviytNAiOAqxWLc2EE', 'wz0bfGQTodYo6mrTbobqB4bdv8GtZCJUl', 'nlnHlwMORZK67NWFZQugKwsMevSaKMp3b', 'pSoBQZEygvhqQPFuJeCTiz3fgDdnw0vi5', 'MYRUiKSDS6N1cblejrJXCi9XeZWwf0Dyn', 'IoaadOnBX2SxoXUCuu53CtOgTTSdA9KfF'
                    Source: NJRAT DANGEROUS.exe.0.dr, Vdg58QAt6NK1hQvmIDPDiDTjhiHT029tX.csHigh entropy of concatenated method names: '_2NfpL3et8bk8Kalh1cLEJG9Dce7EDTlOO', 'yq31zUPEOpnaMk4V1cy1jve2jJmLmn0wK', 'kMpLmw3Pj6imPAqxRMrslgcFXMndclvhK', 'pUJNCTHPY47aMxUkqalyR73zu6woLbMN6', 'XPK5jVJtDtgapGi8Fn48IbatiRz8AV36e', 'woFKLqsfw7Uol62Mym1wj3H6OWJFCvP98', 'YaVe3YSltCyMvknItGer9bqDiBmfQFt0C', 'XKph5IJpfxyu8BG5JQhBFFvwRt5lUC8g9', 'C4wExEzOS9YwQOg4RhsGPX9fwWorBgrmn', 'ziM3e4LA1gQTPQbdruQsbmA7gyRcmPCPfHGdZXOWb30loukeB5piQpK09I5rY9kD6'
                    Source: NJRAT DANGEROUS.exe.0.dr, ZYLil0zEDX9C8l7Y0hjQ4rs584oXrBhIZHP1PUbL2ajhAEu0U3TFkZd6tpZA2Cmas.csHigh entropy of concatenated method names: 'fFzdEDdxvZzQ2jrhGqh4p6Paf55aBm5dMYzKJZaR1wS0aFNAiDwMqrOfPlv3oPKeJ', 'REbAaj0s6ifNnLw10fR8slKSL8bukgYExImWM4ciEvuWMNYu45D5qcJStHu1FEkHp', 'n4LQxGUVG8OH56R1KHlRIPJPt8dNcVg9AqPAojyFJJF9SCZvQX0X4CoasBHQDuse7', 'IM85zPbegoWHte7YGhCCooHRXKkHudpICLUw3XjnUmLRGAYQ2jQCAelA0Ao6mtC6V', 'zpTiYPzrFbwoXL4ZAoCl', 'ah6QoxgUww2qW3hnTQFs', 'LPz30evXuT5cgOTiOPOv', '_8FUN7oyqbGsXmRPi2HYG', 'HjwVClMSZdao9NcAucP9', 'Begs91si3qZ0N3e0r91w'
                    Source: NJRAT DANGEROUS.exe.0.dr, vOS5UwX9hsXn72tHoEXrMZZ69cuA86uvLly5tuvo6aEHAVmaww8baJCmHybTelx3B.csHigh entropy of concatenated method names: 'eW2RBzBbtn9LSbwL7qzdqjq0GvxDmOLOLNDxDkgN418iwipphgJBoOnr0BGz81Inf', 'GSQbs85KqyP7L6eaYviGUm1XnKTuex8yuxp6SZkpOJUUJss9ThoHVWTP6AmlmRi9K', 'XUouXOiY0No6qlvcDFimpDoeBqMGssWvFLeaDnOqiv166jyjmnGKzpGQnbJpMGdVO', 'Oez0yjfZm6k3aNkzrAUJ', 'bTTA8uRZyBckhB3gsqnI', 'zXsXWznHCKDrAbAY3wzx', 'DerdoCd5aMBglQRIzXd8', 'qrcmkXDDhmOybPhPlqJc', 'jxtfy1BZtlWXmXGxMyHz', '_03W3fM6Sq5zNR4NXzjm1'
                    Source: NJRAT DANGEROUS.exe.0.dr, kj6EsMNdfesTHZOaMh8Jn2WdRS3cx25YAUUGeZuZdYa1kypN2VoZM7M8eUzobi8We.csHigh entropy of concatenated method names: 'IEiS33vdNiPQNwaQQNMeSFXEvNCwA57qudQdnsdPIHAuHPpDsElkKUTuHIRGPkLty', 'Djy0XSwRQhKNokm9R0Glr5Z0EjCapTIpxLe1umzO1OKdJpCfH0ER048J3iHNgy18y', '_23X3oYX0Eo8iXGmtC8hFqwsCBFRbrZxFdYSIF278OVNFqyQOMkHhu29hEaUOo7OGC', 'hElNTs2qMhE00ykL7q0mTmp82U7lo2Fj7cV46I7Ex66IklTgGGGketyO4XVM3oQZ5', 'FHOwMrSLm7ptkV8AWCYcaldlByklxc98RIQtD3oELkEeAPDYRmqYRtOliQjJX5MKU', 'RDRXW1lYjn1BFX2mOCsOnqvVnflTyafrgDktoAMc8ap7DqyIIYSNaYwh7JGtiH1c0', '_3hDwHIHv8C7a5afDDMvGFxuUC6MVN53DaUwpa8R16OsRPQi2oBMxHWA4fcHyoBAPI', 'dlTnE1j3RxqmjOXfU5KFvj3ORR5yyhNCc2CuyEtEtcK7ZbeCfaVFneZCEQC9AiDba', 'P8sVCtD7Re9JwMs9GcPV3v8EHKxZWZ3KjnZnSbmZrz75BL4btamO5ERtknOxQlxbC', 'RDNBo1SIuqar9uonqOwKyf0MXrByib87wKIHgve6WqgelhRCcgIRbjFcIlTzzFsnJ'
                    Source: NJRAT DANGEROUS.exe.0.dr, gdzvroPSWlwimSxWtBgPbsIFQABTC4x2x.csHigh entropy of concatenated method names: 'DnH6GZKwJRZH9WsvDMGG59jU4R1nITH8A', '_2RfgbutdcMHCAMadgU9BiRyZ0BnRayTNK', 'S59iMdMzDh5KR9J6U08Kr1aooF4KDnvpb', 'Szcd3e7mfU4kSiYM6KtpPPij3nGATaobF', 'McNjEbVpz4w5X3QGboOvxWpF3qJ1DpxFD', '_8vKuJtgdlbaWa236lsGI2Rxs8VxF9E86m', 'PMxJobmJo5uw2vX0X3GmnMcxSf31I9fdg', 'Iu8UYQCRCOxrOz35rHqCZhqZ0g3hQEm5J', '_9P5K2QhKocA1pLWzbghDz9usAMib6xAfT', 'LKu5E9fyLPJkeaHrvKSGOMBWM8IJGMHhe'
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile created: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT DANGEROUS.lnkJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT DANGEROUS.lnkJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: NJRAT DANGEROUS.exe, NJRAT DANGEROUS.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeMemory allocated: EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeMemory allocated: 1ADF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: 620000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: 1A520000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: 2590000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: 1A870000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: D30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: 1ABD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: FD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeMemory allocated: 1AA40000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWindow / User API: threadDelayed 2508Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWindow / User API: threadDelayed 7282Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5774Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4056Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7222Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2354Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8190Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1333Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exe TID: 5328Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep count: 7222 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep count: 2354 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5436Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000Thread sleep count: 8190 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988Thread sleep count: 1333 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe TID: 5516Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe TID: 6276Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe TID: 5240Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeThread delayed: delay time: 922337203685477
                    Source: NJRAT DANGEROUS.exe.0.drBinary or memory string: vmware
                    Source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeCode function: 0_2_00007FF848E767DA CheckRemoteDebuggerPresent,0_2_00007FF848E767DA
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe'
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeQueries volume information: C:\Users\user\Desktop\NJRAT DANGEROUS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeQueries volume information: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeQueries volume information: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeQueries volume information: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exeQueries volume information: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe VolumeInformation
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BC13000.00000004.00000020.00020000.00000000.sdmp, NJRAT DANGEROUS.exe, 00000000.00000002.3343668388.000000001BBC8000.00000004.00000020.00020000.00000000.sdmp, NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp, NJRAT DANGEROUS.exe, 00000000.00000002.3310773959.0000000000F83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\NJRAT DANGEROUS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: NJRAT DANGEROUS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.NJRAT DANGEROUS.exe.a40000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3316762104.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: NJRAT DANGEROUS.exe PID: 2520, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: NJRAT DANGEROUS.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.NJRAT DANGEROUS.exe.a40000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3316762104.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: NJRAT DANGEROUS.exe PID: 2520, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping441
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		2
                    Registry Run Keys / Startup Folder                    		51
                    Virtualization/Sandbox Evasion                    		Security Account Manager51
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575695 Sample: NJRAT DANGEROUS.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 40 soon-lp.at.ply.gg 2->40 42 ip-api.com 2->42 48 Multi AV Scanner detection for domain / URL 2->48 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 23 other signatures 2->54 8 NJRAT DANGEROUS.exe 15 7 2->8         started        13 NJRAT DANGEROUS.exe 2->13         started        15 NJRAT DANGEROUS.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 44 soon-lp.at.ply.gg 147.185.221.181, 17209, 49781, 49845 SALSGIVERUS United States 8->44 46 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 8->46 36 C:\Users\user\AppData\...36JRAT DANGEROUS.exe, PE32 8->36 dropped 58 Protects its processes via BreakOnTermination flag 8->58 60 Adds a directory exclusion to Windows Defender 8->60 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 20 8->24         started        26 2 other processes 8->26 38 C:\Users\user\...38JRAT DANGEROUS.exe.log, CSV 13->38 dropped file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    NJRAT DANGEROUS.exe65%VirustotalBrowse
                    NJRAT DANGEROUS.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    NJRAT DANGEROUS.exe100%AviraHEUR/AGEN.1305769
                    NJRAT DANGEROUS.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe100%AviraHEUR/AGEN.1305769
                    C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    soon-lp.at.ply.gg5%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    soon-lp.at.ply.gg100%Avira URL Cloudmalware
                    http://schemas.mic0%Avira URL Cloudsafe
                    soon-lp.at.ply.gg5%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    soon-lp.at.ply.gg
                    		147.185.221.181
                    		truetrueunknown
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      soon-lp.at.ply.ggtrue
                      • 5%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2217285886.00000232412B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2309591959.000002822E591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.micpowershell.exe, 00000002.00000002.2222361705.00000232495B2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2192898603.0000023231469000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2192898603.0000023231469000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2217285886.00000232412B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2309591959.000002822E591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.copowershell.exe, 00000002.00000002.2222361705.00000232495B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000008.00000002.2468079949.0000021569880000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.powershell.exe, 00000006.00000002.2323742781.0000028236B50000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2192898603.0000023231241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559811000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNJRAT DANGEROUS.exe, 00000000.00000002.3316762104.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192898603.0000023231241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2254869671.000002821E521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369678942.0000021559811000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://go.mpowershell.exe, 00000002.00000002.2192793183.000002323111C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2369678942.0000021559A39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUSfalse
                                                      147.185.221.181
                                                      		soon-lp.at.ply.ggUnited States
                                                      		12087SALSGIVERUStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1575695
                                                      Start date and time:2024-12-16 08:37:07 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 22s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:20
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:NJRAT DANGEROUS.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@18/19@2/2
                                                      EGA Information:
                                                      • Successful, ratio: 12.5%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 76
                                                      • Number of non-executed functions: 4
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target NJRAT DANGEROUS.exe, PID 1772 because it is empty
                                                      • Execution Graph export aborted for target NJRAT DANGEROUS.exe, PID 2508 because it is empty
                                                      • Execution Graph export aborted for target NJRAT DANGEROUS.exe, PID 4912 because it is empty
                                                      • Execution Graph export aborted for target NJRAT DANGEROUS.exe, PID 5476 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 2860 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7156 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 748 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:38:09API Interceptor55x Sleep call for process: powershell.exe modified
                                                      02:38:47API Interceptor888584x Sleep call for process: NJRAT DANGEROUS.exe modified
                                                      08:38:46Task SchedulerRun new task: NJRAT DANGEROUS path: C:\Users\user\AppData\Roaming\NJRAT s>DANGEROUS.exe
                                                      08:38:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NJRAT DANGEROUS C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      08:38:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NJRAT DANGEROUS C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      08:39:03AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT DANGEROUS.lnk

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1com surrogate.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                      • ip-api.com/json/
                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • ip-api.com/json/
                                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                      • ip-api.com/json/
                                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • ip-api.com/json/
                                                      da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      soon-lp.at.ply.ggvirusrat.jarGet hashmaliciousUnknownBrowse
                                                      • 209.25.141.181
                                                      virusrat.jarGet hashmaliciousUnknownBrowse
                                                      • 209.25.141.181
                                                      Bsp7liZ1i3.exeGet hashmaliciousArrowRATBrowse
                                                      • 209.25.141.181
                                                      file.exeGet hashmaliciousBitRATBrowse
                                                      • 209.25.141.181
                                                      ip-api.comcom surrogate.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                      • 208.95.112.1
                                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                      • 208.95.112.1
                                                      7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • 208.95.112.1
                                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                      • 208.95.112.1
                                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • 208.95.112.1
                                                      da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                      • 208.95.112.1
                                                      03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SALSGIVERUScom surrogate.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      lastest.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.20
                                                      Fast Download.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.229
                                                      cnct.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.20
                                                      Server1.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.17
                                                      njSilent.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.19
                                                      Minet.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.22
                                                      Discordd.exeGet hashmaliciousAsyncRATBrowse
                                                      • 147.185.221.18
                                                      Discord2.exeGet hashmaliciousAsyncRATBrowse
                                                      • 147.185.221.18
                                                      Discord3.exeGet hashmaliciousAsyncRATBrowse
                                                      • 147.185.221.18
                                                      TUT-ASUScom surrogate.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                      • 208.95.112.1
                                                      https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                                      • 162.252.214.4
                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                      • 208.95.112.1
                                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                      • 208.95.112.1
                                                      7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • 208.95.112.1
                                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                      • 208.95.112.1
                                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • 208.95.112.1
                                                      da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                      • 208.95.112.1

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA10C.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\System32\WerFault.exe
                                                      File Type:Mini DuMP crash report, 16 streams, Mon Dec 16 07:40:04 2024, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):589212
                                                      Entropy (8bit):2.938503665755775
                                                      Encrypted:false
                                                      SSDEEP:6144:FFnefBu1iKQznMxI1pwu7mq14nj74gwYGH3QSr+d290to0N:FVqwCznpkq1lfXQTd2990N
                                                      MD5:F97A06C561E2F89ED55B7CA08DE7929A
                                                      SHA1:5C26AE89F75983E6A560F12841BF4AD478B11479
                                                      SHA-256:8E5B314786922D81EA612380AFA8CACB86DEF1599584735D306BDBBE4062200D
                                                      SHA-512:CEE41BA353BAE8A4DCE46F641762A1D5618C42D88FF6D1EC80465951F49B7F2705CE92BC3A84A70B16F6EDAAA0C56A1A12736FD8D9905A69013EFDD808C19CA9
                                                      Malicious:false
                                                      Preview:MDMP..a..... .......T._g.........................(...............4...........4.......C..............l.......8...........T...........0b..l............G..........tI..............................................................................eJ.......J......Lw......................T............._g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3CD.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\System32\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):9348
                                                      Entropy (8bit):3.7104653961861596
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJNiIZz6YEI/6wgmfk4jG4t85prh89blze1mO6fMXm:R6lXJEIZz6YEw6wgmfkr4tLlq1mO6fh
                                                      MD5:0F99B7B191E49797ECAC3C91DF93D296
                                                      SHA1:E0CBE9C3904B068C7AB67611C5766F3E291F7AEA
                                                      SHA-256:09094D3BDF019C86C83B9AFA3E1DB0D64771746BED10E1342625A8EB65DC547D
                                                      SHA-512:EBB74CFE265200A2ECA9B8606E82C8CDD56A7C163EE560432C1C74C1B2EB7C06405EF5D11EDA81A7BBDF67DD5DA0D34E360E0DD832D8930982E98F356B0CCE42
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.2.0.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3ED.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\System32\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4965
                                                      Entropy (8bit):4.528239187307719
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsRJg771I922SWpW8VYuAYm8M4JpSFgoyq8vRMSqMZAAd:uIjfjI7h2z7V7NJtoWHqMZAAd
                                                      MD5:932B08BAB051DDE60300BBFAFBBBF31A
                                                      SHA1:78D544446DC993AB52ACF6C108516C409207C7B7
                                                      SHA-256:200AF8962CBF532BC8158F9D79D783F6F01B4AC9D73197A733AEAEC68D9AE97C
                                                      SHA-512:F3F34F550E05B9CB53BFEA9FA17C8AFF1102A63BBDDDDF7232ED92948D0770E46AE4432E707C98E57DC816991B40083D35E471992FB54480A663832063050186
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633522" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NJRAT DANGEROUS.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):654
                                                      Entropy (8bit):5.380476433908377
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b0fomtb.ccu.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2enqridy.ngu.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mvo5ow1.dzk.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_broiqtaj.j1o.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hw3hbwy5.wbr.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kpvobgby.ijz.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lu4sn1jt.i4y.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojo3irgj.ro2.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzjc1pg2.myw.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2u0g3n0.hdn.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv13ivgr.bfr.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxnymjqf.1fc.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT DANGEROUS.lnk

                                                      Download File
                                                      Process:C:\Users\user\Desktop\NJRAT DANGEROUS.exe
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 16 06:38:45 2024, mtime=Mon Dec 16 06:38:47 2024, atime=Mon Dec 16 06:38:47 2024, length=70656, window=hide
                                                      Category:dropped
                                                      Size (bytes):807
                                                      Entropy (8bit):5.074266300976537
                                                      Encrypted:false
                                                      SSDEEP:12:8jOiCHlEM4fKZk88CjhlsY//NLl9C8ZyKVibjAnvvHZSkAqVixggWGWfmV:8yNYfw8eZxBBVivA5SrqVixggWGWfm
                                                      MD5:9C9C7682E06313D6BB6B1509DD4DF225
                                                      SHA1:BEAE5C906CC2D0501132870A20842B45624C1792
                                                      SHA-256:4A1BDC2A96D722B2289EB033C92EA3A7AB9E4E0246E8F541D4926F5867C3AC84
                                                      SHA-512:9852C080FAC08C00D453AAF9F284A1196DB2E6C2BC4F359390761D9DE28E38AB6A6E1A2AC9EFDAF78FF7939962C09BD5870AD839C898D0EE522BC00B3F28C607
                                                      Malicious:false
                                                      Preview:L..................F.... ...o.u..O...k...O...k...O............................:..DG..Yr?.D..U..k0.&...&...... M........h.O......O......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.<....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.<..Roaming.@......DWSl.Y.<....C........................R.o.a.m.i.n.g.....t.2......Y.< .NJRATD~1.EXE..X......Y.<.Y.<....C.....................bHU.N.J.R.A.T. .D.A.N.G.E.R.O.U.S...e.x.e.......b...............-.......a..................C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe..".....\.....\.....\.....\.....\.N.J.R.A.T. .D.A.N.G.E.R.O.U.S...e.x.e.`.......X.......065367...........hT..CrF.f4... ..........,...W..hT..CrF.f4... ..........,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                      C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\NJRAT DANGEROUS.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):70656
                                                      Entropy (8bit):5.983401222888051
                                                      Encrypted:false
                                                      SSDEEP:1536:5ihEd3G8rmQM+ypR3Vqolmvbtd69yspfmrm65E9aOcNyW5Z+:EW3GN7+YRlV6btMSAaOcNH+
                                                      MD5:401B1EA00D135D5060F237C2F5A8A6C4
                                                      SHA1:6955A95C3B4F5DE689B352E3D7E0BADD821D624B
                                                      SHA-256:9B8CBCF33039DC4EE3A8649FAB25ED587E7C75958473F4EB814D5C13D90F8FFA
                                                      SHA-512:36324A55944A423ADBDE5856DBFD80498EDBBDAFEA4808F4F39DA7AB5A9C50059C4D242B2365062856187160EE65EDB573E81D4644A1E7FBDE20B4656EE892B4
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 82%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<sd............................^(... ...@....@.. ....................................@..................................(..O....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@(......H........b..,.......&.....................................................(....*.r...p*. t...*..(....*.rg..p*. Q...*.s.........s.........s.........s.........*.r"..p*. "Y..*.r...p*. +...*.r...p*. E/..*.rS..p*. ...*.r...p*. ....*..((...*.rI..p*. ..9.*.r...p*. a..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Q...*&(....&+.*.+5sc... .... .'..od...(*...~....-.(X...(N...~....oe...&.-.*.r...p*. ,-..*.r...p*. .x!.*.rE..p*. .t..*.r...p*. *p{.*.r...p*.rv..p*. ....*.r1..p*. .W..*.r...p

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.983401222888051
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:NJRAT DANGEROUS.exe
                                                      File size:70'656 bytes
                                                      MD5:401b1ea00d135d5060f237c2f5a8a6c4
                                                      SHA1:6955a95c3b4f5de689b352e3d7e0badd821d624b
                                                      SHA256:9b8cbcf33039dc4ee3a8649fab25ed587e7c75958473f4eb814d5c13d90f8ffa
                                                      SHA512:36324a55944a423adbde5856dbfd80498edbbdafea4808f4f39da7ab5a9c50059c4d242b2365062856187160ee65edb573e81d4644a1e7fbde20b4656ee892b4
                                                      SSDEEP:1536:5ihEd3G8rmQM+ypR3Vqolmvbtd69yspfmrm65E9aOcNyW5Z+:EW3GN7+YRlV6btMSAaOcNH+
                                                      TLSH:9C638C183BE64125F2FF6FB05DA03157DA39F7636A12A71F20C8429B07239858D417FA
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<sd............................^(... ...@....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x41285e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x64733CBC [Sun May 28 11:36:28 2023 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1280c0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x50e.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x108640x10a00131d6b452616fd4ef7c64f16795aa14aFalse0.5944255169172933data6.05895189166813IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x140000x50e0x60052927d899dd211a1bd4ab4522cf22d92False0.388671875data3.8825514148734097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x160000xc0x2000aba401421531a02333d0dbf828d79b9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0x140a00x284data0.45962732919254656
                                                      RT_MANIFEST0x143240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-16T08:39:03.308463+01002853618ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549781147.185.221.18117209TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 16, 2024 08:38:02.531083107 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:38:02.650934935 CET8049704208.95.112.1192.168.2.5
                                                      Dec 16, 2024 08:38:02.651067019 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:38:02.652143955 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:38:02.771806955 CET8049704208.95.112.1192.168.2.5
                                                      Dec 16, 2024 08:38:03.746903896 CET8049704208.95.112.1192.168.2.5
                                                      Dec 16, 2024 08:38:03.789618969 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:38:40.898489952 CET8049704208.95.112.1192.168.2.5
                                                      Dec 16, 2024 08:38:40.898564100 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:38:48.846693993 CET4978117209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:38:48.967349052 CET1720949781147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:38:48.967466116 CET4978117209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:38:49.049562931 CET4978117209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:38:49.170886040 CET1720949781147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:03.308463097 CET4978117209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:03.429970980 CET1720949781147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:10.868161917 CET1720949781147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:10.868243933 CET4978117209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:15.446150064 CET4978117209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:15.447506905 CET4984517209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:15.565911055 CET1720949781147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:15.567241907 CET1720949845147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:15.567318916 CET4984517209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:15.607261896 CET4984517209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:15.727057934 CET1720949845147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:29.868320942 CET4984517209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:29.988029957 CET1720949845147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:37.478708982 CET1720949845147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:37.478842020 CET4984517209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:38.446182013 CET4984517209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:38.447326899 CET4989917209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:38.565960884 CET1720949845147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:38.567050934 CET1720949899147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:38.567164898 CET4989917209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:38.589880943 CET4989917209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:38.709780931 CET1720949899147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:43.775832891 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:39:44.086771011 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:39:44.687606096 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:39:45.899239063 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:39:48.305480003 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:39:52.618329048 CET4989917209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:39:52.738225937 CET1720949899147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:39:53.117999077 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:40:00.466083050 CET1720949899147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:00.466160059 CET4989917209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:02.649429083 CET4989917209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:02.654273033 CET4995417209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:02.769810915 CET1720949899147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:02.774532080 CET1720949954147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:02.774626017 CET4995417209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:02.810266972 CET4970480192.168.2.5208.95.112.1
                                                      Dec 16, 2024 08:40:02.812731981 CET4995417209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:02.932849884 CET1720949954147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:02.932939053 CET4995417209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:03.052946091 CET1720949954147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:03.053011894 CET4995417209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:03.172916889 CET1720949954147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:03.384558916 CET4995417209192.168.2.5147.185.221.181
                                                      Dec 16, 2024 08:40:03.504343987 CET1720949954147.185.221.181192.168.2.5
                                                      Dec 16, 2024 08:40:09.435478926 CET4995417209192.168.2.5147.185.221.181

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 16, 2024 08:38:02.386356115 CET5916253192.168.2.51.1.1.1
                                                      Dec 16, 2024 08:38:02.523914099 CET53591621.1.1.1192.168.2.5
                                                      Dec 16, 2024 08:38:48.595571995 CET6405953192.168.2.51.1.1.1
                                                      Dec 16, 2024 08:38:48.844944000 CET53640591.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 16, 2024 08:38:02.386356115 CET192.168.2.51.1.1.10x5022Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                      Dec 16, 2024 08:38:48.595571995 CET192.168.2.51.1.1.10xa236Standard query (0)soon-lp.at.ply.ggA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 16, 2024 08:38:02.523914099 CET1.1.1.1192.168.2.50x5022No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                      Dec 16, 2024 08:38:48.844944000 CET1.1.1.1192.168.2.50xa236No error (0)soon-lp.at.ply.gg147.185.221.181A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549704208.95.112.1802520C:\Users\user\Desktop\NJRAT DANGEROUS.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 16, 2024 08:38:02.652143955 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Dec 16, 2024 08:38:03.746903896 CET175INHTTP/1.1 200 OK
                                                      Date: Mon, 16 Dec 2024 07:38:03 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 6
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 66 61 6c 73 65 0a
                                                      Data Ascii: false


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:02:37:57
                                                      Start date:16/12/2024
                                                      Path:C:\Users\user\Desktop\NJRAT DANGEROUS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\NJRAT DANGEROUS.exe"
                                                      Imagebase:0xa40000
                                                      File size:70'656 bytes
                                                      MD5 hash:401B1EA00D135D5060F237C2F5A8A6C4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2040464728.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3316762104.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:02:38:03
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\NJRAT DANGEROUS.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:02:38:03
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:02:38:16
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT DANGEROUS.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:02:38:16
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:02:38:27
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe'
                                                      Imagebase:0x7ff7be880000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:02:38:27
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:02:38:45
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT DANGEROUS" /tr "C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                                                      Imagebase:0x7ff6f4520000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:02:38:45
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:02:38:55
                                                      Start date:16/12/2024
                                                      Path:C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                                                      Imagebase:0x7ff6068e0000
                                                      File size:70'656 bytes
                                                      MD5 hash:401B1EA00D135D5060F237C2F5A8A6C4
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 82%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:02:39:01
                                                      Start date:16/12/2024
                                                      Path:C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                                                      Imagebase:0x690000
                                                      File size:70'656 bytes
                                                      MD5 hash:401B1EA00D135D5060F237C2F5A8A6C4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:02:39:03
                                                      Start date:16/12/2024
                                                      Path:C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                                                      Imagebase:0x8c0000
                                                      File size:70'656 bytes
                                                      MD5 hash:401B1EA00D135D5060F237C2F5A8A6C4
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:02:40:00
                                                      Start date:16/12/2024
                                                      Path:C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\NJRAT DANGEROUS.exe"
                                                      Imagebase:0x880000
                                                      File size:70'656 bytes
                                                      MD5 hash:401B1EA00D135D5060F237C2F5A8A6C4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:02:40:03
                                                      Start date:16/12/2024
                                                      Path:C:\Windows\System32\WerFault.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 2520 -s 2572
                                                      Imagebase:0x7ff67d400000
                                                      File size:570'736 bytes
                                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:21.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:33.3%
                                                        Total number of Nodes:9
                                                        Total number of Limit Nodes:0

                                                        Executed Functions

                                                        Function 00007FF848E79239 Relevance: 5.6, Strings: 3, Instructions: 1809COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7ff848e79239-7ff848e792cd call 7ff848e78f00 call 7ff848e70368 call 7ff848e780c8 11 7ff848e792cf-7ff848e792fc call 7ff848e70378 0->11 12 7ff848e79301-7ff848e79324 0->12 11->12 16 7ff848e7a3dd-7ff848e7a3e4 12->16 17 7ff848e7932a-7ff848e79337 12->17 20 7ff848e7a3ee-7ff848e7a3f5 16->20 18 7ff848e7933d-7ff848e7937b 17->18 19 7ff848e79698 17->19 26 7ff848e7a3b8-7ff848e7a3be 18->26 27 7ff848e79381-7ff848e7939e call 7ff848e78348 18->27 24 7ff848e7969d-7ff848e796d1 19->24 21 7ff848e7a3f7-7ff848e7a3ff 20->21 22 7ff848e7a406-7ff848e7a40d 20->22 21->22 25 7ff848e7a401 call 7ff848e70358 21->25 30 7ff848e796d8-7ff848e7971a 24->30 25->22 28 7ff848e7a412 26->28 29 7ff848e7a3c0-7ff848e7a3d7 26->29 27->26 35 7ff848e793a4-7ff848e793de 27->35 34 7ff848e7a417-7ff848e7a452 28->34 29->16 29->17 46 7ff848e7973f-7ff848e79773 30->46 47 7ff848e7971c-7ff848e7973d 30->47 40 7ff848e7a457-7ff848e7a4a4 34->40 42 7ff848e7943d-7ff848e79465 35->42 43 7ff848e793e0-7ff848e79433 35->43 70 7ff848e7a4cc-7ff848e7a507 40->70 71 7ff848e7a4a6-7ff848e7a4c7 40->71 53 7ff848e7946b-7ff848e79478 42->53 54 7ff848e79d59-7ff848e79d81 42->54 43->42 52 7ff848e7977a-7ff848e797bc 46->52 47->52 76 7ff848e797be-7ff848e797df 52->76 77 7ff848e797e1-7ff848e79815 52->77 53->19 58 7ff848e7947e-7ff848e79570 53->58 54->26 64 7ff848e79d87-7ff848e79d94 54->64 142 7ff848e79576-7ff848e795b4 58->142 143 7ff848e79d30-7ff848e79d36 58->143 64->19 65 7ff848e79d9a-7ff848e79e90 64->65 84 7ff848e7a50c-7ff848e7a547 65->84 121 7ff848e79e96-7ff848e79ef9 65->121 70->84 71->70 83 7ff848e7981c-7ff848e798b2 76->83 77->83 118 7ff848e798eb-7ff848e79933 83->118 119 7ff848e798b4-7ff848e798ea call 7ff848e70348 83->119 92 7ff848e7a54c-7ff848e7a587 84->92 101 7ff848e7a58c-7ff848e7a5c7 92->101 110 7ff848e7a5cc-7ff848e7a607 101->110 120 7ff848e7a60c-7ff848e7a647 110->120 152 7ff848e79958-7ff848e7998c 118->152 153 7ff848e79935-7ff848e79956 118->153 119->118 130 7ff848e7a64c-7ff848e7a69c 120->130 121->92 148 7ff848e79eff-7ff848e79f62 121->148 162 7ff848e7a69e-7ff848e7a6bf 130->162 163 7ff848e7a6c4-7ff848e7a6f8 130->163 164 7ff848e795b6-7ff848e795e9 call 7ff848e70348 142->164 165 7ff848e795f0-7ff848e79673 142->165 143->28 144 7ff848e79d3c-7ff848e79d53 143->144 144->53 144->54 148->101 180 7ff848e79f68-7ff848e7a0c6 call 7ff848e78358 148->180 155 7ff848e79993-7ff848e79a2a 152->155 153->155 155->19 197 7ff848e79a30-7ff848e79be0 call 7ff848e70348 155->197 162->163 167 7ff848e7a6ff 163->167 164->165 165->24 191 7ff848e79675-7ff848e79696 165->191 167->167 180->110 225 7ff848e7a0cc-7ff848e7a23a 180->225 191->30 197->28 244 7ff848e79be6-7ff848e79be8 197->244 225->28 262 7ff848e7a240-7ff848e7a242 225->262 244->40 245 7ff848e79bee-7ff848e79c2c 244->245 245->34 254 7ff848e79c32-7ff848e79cbd 245->254 269 7ff848e79cbf-7ff848e79d06 254->269 270 7ff848e79d0d-7ff848e79d2a 254->270 262->130 264 7ff848e7a248-7ff848e7a286 262->264 264->120 274 7ff848e7a28c-7ff848e7a31a 264->274 269->270 270->143 281 7ff848e7a31c-7ff848e7a363 274->281 282 7ff848e7a36a-7ff848e7a399 274->282 281->282 282->28 284 7ff848e7a39b-7ff848e7a3b2 282->284 284->26 284->64
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 6$L$cAN_^
                                                        • API String ID: 0-4048042519
                                                        • Opcode ID: b5e960c36f52e441068604e4cee12e9de6fa7652d3d7b52774cc793b708ef258
                                                        • Instruction ID: 968cc3aad6ad5454e704ac1088d4dace9a2a94af2456a06e7a001e949742678b
                                                        • Opcode Fuzzy Hash: b5e960c36f52e441068604e4cee12e9de6fa7652d3d7b52774cc793b708ef258
                                                        • Instruction Fuzzy Hash: 0BD28070A18A499FEB88EF28C49977DB7E2FF98740F144579D40DD3291DF38A8818B46
                                                        Function 00007FF848E71609 Relevance: 2.1, Strings: 1, Instructions: 803COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 285 7ff848e71609-7ff848e71640 287 7ff848e71646-7ff848e7171e call 7ff848e70620 * 5 call 7ff848e709d8 285->287 288 7ff848e71ee0-7ff848e71f27 285->288 318 7ff848e71728-7ff848e71772 call 7ff848e704b8 call 7ff848e704b0 287->318 319 7ff848e71720-7ff848e71727 287->319 328 7ff848e7179a-7ff848e717ba 318->328 329 7ff848e71774-7ff848e71793 call 7ff848e70348 318->329 319->318 335 7ff848e717bc-7ff848e717c6 call 7ff848e70358 328->335 336 7ff848e717cb-7ff848e7182f call 7ff848e70f90 328->336 329->328 335->336 346 7ff848e718cf-7ff848e7195d 336->346 347 7ff848e71835-7ff848e718ca 336->347 366 7ff848e71964-7ff848e71a1c call 7ff848e71250 call 7ff848e711d8 call 7ff848e70368 call 7ff848e70378 346->366 347->366 383 7ff848e71a1e-7ff848e71a3c call 7ff848e70348 366->383 384 7ff848e71a43-7ff848e71a63 366->384 383->384 390 7ff848e71a74-7ff848e71ad3 384->390 391 7ff848e71a65-7ff848e71a6f call 7ff848e70358 384->391 398 7ff848e71afb-7ff848e71b1b 390->398 399 7ff848e71ad5-7ff848e71af4 call 7ff848e70348 390->399 391->390 405 7ff848e71b2c-7ff848e71c0e 398->405 406 7ff848e71b1d-7ff848e71b27 call 7ff848e70358 398->406 399->398 420 7ff848e71c5c-7ff848e71c8f 405->420 421 7ff848e71c10-7ff848e71c43 405->421 406->405 431 7ff848e71cb4-7ff848e71ce4 420->431 432 7ff848e71c91-7ff848e71cb2 420->432 421->420 428 7ff848e71c45-7ff848e71c52 421->428 428->420 433 7ff848e71c54-7ff848e71c5a 428->433 435 7ff848e71cec-7ff848e71d23 431->435 432->435 433->420 441 7ff848e71d48-7ff848e71d78 435->441 442 7ff848e71d25-7ff848e71d46 435->442 444 7ff848e71d80-7ff848e71e0e call 7ff848e70388 call 7ff848e710f8 call 7ff848e70978 call 7ff848e70f90 441->444 442->444 458 7ff848e71e15-7ff848e71eae 444->458 459 7ff848e71e10 call 7ff848e71170 444->459 459->458
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: cAN_^
                                                        • API String ID: 0-2037741601
                                                        • Opcode ID: 48a90926f6c0108f33e60aa743f6d4907dfc27bfb4064d29d6b012c4d329bc15
                                                        • Instruction ID: 4010943c0fdb27202e53e11cf101f47d10c6d6f79d78d322d8d1d837015bdffa
                                                        • Opcode Fuzzy Hash: 48a90926f6c0108f33e60aa743f6d4907dfc27bfb4064d29d6b012c4d329bc15
                                                        • Instruction Fuzzy Hash: FF42B120B2DA495FE798FB3884657B9B7D2FF98780F440579E40DC32C6DE39A8428749
                                                        Function 00007FF848E767DA Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 533 7ff848e767da-7ff848e77b3d CheckRemoteDebuggerPresent 537 7ff848e77b3f 533->537 538 7ff848e77b45-7ff848e77b88 533->538 537->538
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 3f72bc13b99403c1cdc3a78b9222f698cab17e0c7ba9aa191ebc05e52224cdb3
                                                        • Instruction ID: a6d934f6229b12f51b9aca3d815ada4c717dfbdf1fdd2656ec8418f6e4634704
                                                        • Opcode Fuzzy Hash: 3f72bc13b99403c1cdc3a78b9222f698cab17e0c7ba9aa191ebc05e52224cdb3
                                                        • Instruction Fuzzy Hash: 9B31C431908A1C8FDB58EF5CC88A7F9BBE0FF65311F14412ED48AD7242DB70A8568B91
                                                        Function 00007FF848E760C6 Relevance: .5, Instructions: 472COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 663 7ff848e760c6-7ff848e760d3 664 7ff848e760de-7ff848e761a7 663->664 665 7ff848e760d5-7ff848e760dd 663->665 669 7ff848e761a9-7ff848e761b2 664->669 670 7ff848e76213 664->670 665->664 669->670 672 7ff848e761b4-7ff848e761c0 669->672 671 7ff848e76215-7ff848e7623a 670->671 679 7ff848e7623c-7ff848e76245 671->679 680 7ff848e762a6 671->680 673 7ff848e761f9-7ff848e76211 672->673 674 7ff848e761c2-7ff848e761d4 672->674 673->671 675 7ff848e761d8-7ff848e761eb 674->675 676 7ff848e761d6 674->676 675->675 678 7ff848e761ed-7ff848e761f5 675->678 676->675 678->673 679->680 682 7ff848e76247-7ff848e76253 679->682 681 7ff848e762a8-7ff848e76350 680->681 693 7ff848e763be 681->693 694 7ff848e76352-7ff848e7635c 681->694 683 7ff848e7628c-7ff848e762a4 682->683 684 7ff848e76255-7ff848e76267 682->684 683->681 686 7ff848e7626b-7ff848e7627e 684->686 687 7ff848e76269 684->687 686->686 689 7ff848e76280-7ff848e76288 686->689 687->686 689->683 695 7ff848e763c0-7ff848e763e9 693->695 694->693 696 7ff848e7635e-7ff848e7636b 694->696 702 7ff848e763eb-7ff848e763f6 695->702 703 7ff848e76453 695->703 697 7ff848e7636d-7ff848e7637f 696->697 698 7ff848e763a4-7ff848e763bc 696->698 700 7ff848e76383-7ff848e76396 697->700 701 7ff848e76381 697->701 698->695 700->700 704 7ff848e76398-7ff848e763a0 700->704 701->700 702->703 705 7ff848e763f8-7ff848e76406 702->705 706 7ff848e76455-7ff848e764e6 703->706 704->698 707 7ff848e7643f-7ff848e76451 705->707 708 7ff848e76408-7ff848e7641a 705->708 714 7ff848e764ec-7ff848e764fb 706->714 707->706 709 7ff848e7641e-7ff848e76431 708->709 710 7ff848e7641c 708->710 709->709 712 7ff848e76433-7ff848e7643b 709->712 710->709 712->707 715 7ff848e764fd 714->715 716 7ff848e76503-7ff848e76568 call 7ff848e76584 714->716 715->716 723 7ff848e7656f-7ff848e76583 716->723 724 7ff848e7656a 716->724 724->723
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 60e8fe26c9a3ed4a4f5b8b7c944fcf57807d09bf5143da21f31e10341213ae82
                                                        • Instruction ID: 5fd1175b10e4e727c13ed057b506398ca3193325f06dbcb513b43506de3adb8a
                                                        • Opcode Fuzzy Hash: 60e8fe26c9a3ed4a4f5b8b7c944fcf57807d09bf5143da21f31e10341213ae82
                                                        • Instruction Fuzzy Hash: 13F1A43090CA8E8FEBA8EF28C8557E937E1FF54350F04426EE84DC7695DB7498458B86
                                                        Function 00007FF848E77282 Relevance: .5, Instructions: 458COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 725 7ff848e77282-7ff848e7728f 726 7ff848e7729a-7ff848e77367 725->726 727 7ff848e77291-7ff848e77299 725->727 731 7ff848e77369-7ff848e77372 726->731 732 7ff848e773d3 726->732 727->726 731->732 733 7ff848e77374-7ff848e77380 731->733 734 7ff848e773d5-7ff848e773fa 732->734 735 7ff848e773b9-7ff848e773d1 733->735 736 7ff848e77382-7ff848e77394 733->736 741 7ff848e773fc-7ff848e77405 734->741 742 7ff848e77466 734->742 735->734 737 7ff848e77398-7ff848e773ab 736->737 738 7ff848e77396 736->738 737->737 740 7ff848e773ad-7ff848e773b5 737->740 738->737 740->735 741->742 744 7ff848e77407-7ff848e77413 741->744 743 7ff848e77468-7ff848e7748d 742->743 751 7ff848e7748f-7ff848e77499 743->751 752 7ff848e774fb 743->752 745 7ff848e7744c-7ff848e77464 744->745 746 7ff848e77415-7ff848e77427 744->746 745->743 747 7ff848e7742b-7ff848e7743e 746->747 748 7ff848e77429 746->748 747->747 750 7ff848e77440-7ff848e77448 747->750 748->747 750->745 751->752 754 7ff848e7749b-7ff848e774a8 751->754 753 7ff848e774fd-7ff848e7752b 752->753 760 7ff848e7752d-7ff848e77538 753->760 761 7ff848e7759b 753->761 755 7ff848e774aa-7ff848e774bc 754->755 756 7ff848e774e1-7ff848e774f9 754->756 758 7ff848e774be 755->758 759 7ff848e774c0-7ff848e774d3 755->759 756->753 758->759 759->759 762 7ff848e774d5-7ff848e774dd 759->762 760->761 763 7ff848e7753a-7ff848e77548 760->763 764 7ff848e7759d-7ff848e77675 761->764 762->756 765 7ff848e7754a-7ff848e7755c 763->765 766 7ff848e77581-7ff848e77599 763->766 774 7ff848e7767b-7ff848e7768a 764->774 767 7ff848e7755e 765->767 768 7ff848e77560-7ff848e77573 765->768 766->764 767->768 768->768 770 7ff848e77575-7ff848e7757d 768->770 770->766 775 7ff848e7768c 774->775 776 7ff848e77692-7ff848e776f4 call 7ff848e77710 774->776 775->776 783 7ff848e776fb-7ff848e7770f 776->783 784 7ff848e776f6 776->784 784->783
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f58e03370c7f801ff9049dd0dc24b630e4b21cecf42743649b5aff9b3ef36c96
                                                        • Instruction ID: 27ca9d7e0d334265f5a9ee36d26cc46632bdf7606e60780236ece37f4364b29c
                                                        • Opcode Fuzzy Hash: f58e03370c7f801ff9049dd0dc24b630e4b21cecf42743649b5aff9b3ef36c96
                                                        • Instruction Fuzzy Hash: D4E1A33090CA8E8FEBA8EF28C8557E97BD1FB54350F14426EE84DC7295DB7498458B81
                                                        Function 00007FF848E720C9 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8961c9b2e53eb90bf1409893529b6f9b2ea64f8f92fa354d7ec47afdf48e9233
                                                        • Instruction ID: 41ef67bfcf17b0e0e18cd0614aae80910e07fa9e434319341131dce7b0167db5
                                                        • Opcode Fuzzy Hash: 8961c9b2e53eb90bf1409893529b6f9b2ea64f8f92fa354d7ec47afdf48e9233
                                                        • Instruction Fuzzy Hash: E3611F20A1E6C95FD797A7781824276BFE4EF97269F0800FBE0CAC61D7DE180846C356
                                                        Function 00007FF848E7AA5D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 512 7ff848e7aa5d-7ff848e7ab40 RtlSetProcessIsCritical 516 7ff848e7ab48-7ff848e7ab7d 512->516 517 7ff848e7ab42 512->517 517->516
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID: CriticalProcess
                                                        • String ID:
                                                        • API String ID: 2695349919-0
                                                        • Opcode ID: 8d8708c93368c773425ab1e6cd405f56c61ff2943dbaf0d6148a4092ade68d08
                                                        • Instruction ID: 4453ebba87191f521cb6eb2432ccc7f6d952e913def4927362d9846e03854326
                                                        • Opcode Fuzzy Hash: 8d8708c93368c773425ab1e6cd405f56c61ff2943dbaf0d6148a4092ade68d08
                                                        • Instruction Fuzzy Hash: 8641C33180C6588FD719DFA8D845BE9BBF0FF56311F08416EE08AC3692DB746846CBA1
                                                        Function 00007FF848E77A81 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 519 7ff848e77a81-7ff848e77b3d CheckRemoteDebuggerPresent 523 7ff848e77b3f 519->523 524 7ff848e77b45-7ff848e77b88 519->524 523->524
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 465fe9f1e3aeb46c06719a54d53d925bb3d32ad6b666fe8f2886ce8927055ef2
                                                        • Instruction ID: 3926a2aef284658793b37b9efb1dec523519e4f82224b4fd00721cd72d68a6f3
                                                        • Opcode Fuzzy Hash: 465fe9f1e3aeb46c06719a54d53d925bb3d32ad6b666fe8f2886ce8927055ef2
                                                        • Instruction Fuzzy Hash: D331243190C75C8FDB58EF5888866E97BE0FF65311F04416BD489D7252DB34A846CB91
                                                        Function 00007FF848E78B92 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 526 7ff848e78b92-7ff848e7aada 529 7ff848e7aae2-7ff848e7ab40 RtlSetProcessIsCritical 526->529 530 7ff848e7ab48-7ff848e7ab7d 529->530 531 7ff848e7ab42 529->531 531->530
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.3349107000.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID: CriticalProcess
                                                        • String ID:
                                                        • API String ID: 2695349919-0
                                                        • Opcode ID: a13f170be5b8d750da4df8f65a585a34622fbff287f596593a502894c7839482
                                                        • Instruction ID: 5ed53f17062f0ebd74cf07b983f074f35f01dc620aa0cb918027f9c587da9530
                                                        • Opcode Fuzzy Hash: a13f170be5b8d750da4df8f65a585a34622fbff287f596593a502894c7839482
                                                        • Instruction Fuzzy Hash: 5631D43190CA188FDB28EF9CD845BF9BBE0FF55311F14412EE09AD3682DB7468468B91

                                                        Executed Functions

                                                        Function 00007FF848F36605 Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2225088646.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: X7$A
                                                        • API String ID: 0-4276788196
                                                        • Opcode ID: cbfbb8b12cde04aa756a73da9335641bbc7e191aaa7c44faf314ed2a9a447e83
                                                        • Instruction ID: 3a70e03697280ff598bb60b59471ae5fba2210bef59832d874ce2f9bbb5bf1da
                                                        • Opcode Fuzzy Hash: cbfbb8b12cde04aa756a73da9335641bbc7e191aaa7c44faf314ed2a9a447e83
                                                        • Instruction Fuzzy Hash: 4ED12331E0EB8A5FE79AAB2858145B57BE1EF1A390F1801FBD44DCB1D3EE18A805C355
                                                        Function 00007FF848E69758 Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2224673736.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c47b47bb764985ef95dff7a7b2d67719ce9d8e8ed7e981037048c0b33fc497c
                                                        • Instruction ID: 028795ff3e772cab6daa98e73ae6861fa37c80b98a84466209a6b94361a36beb
                                                        • Opcode Fuzzy Hash: 5c47b47bb764985ef95dff7a7b2d67719ce9d8e8ed7e981037048c0b33fc497c
                                                        • Instruction Fuzzy Hash: 5D31E63191CB489FDB1CAF5CA8066B97BE0FB99710F04422FE44993252DB30B8568BC6
                                                        Function 00007FF848D4E380 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2224078250.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848d4d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2531928ca846d5045d0698a0bac163a44166aad9696ef0af8605437194435b31
                                                        • Instruction ID: ba30ffecb9a7239aab30fa02eeaee86ff2ae5f4079daa1c8a7a0375e247d9be8
                                                        • Opcode Fuzzy Hash: 2531928ca846d5045d0698a0bac163a44166aad9696ef0af8605437194435b31
                                                        • Instruction Fuzzy Hash: 1241237180EBC45FE7969B289845A523FF0EF52360F1501EFD088CB1A3D725A80AC792
                                                        Function 00007FF848E6A8F8 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2224673736.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf375e355bede0ad6af8038cc4fe5660d067ad8ada647368b8364498c04706b4
                                                        • Instruction ID: 922068e292c7281cb759757bc09dae0275d7c7e1d771e5a2799ad20924b94f8e
                                                        • Opcode Fuzzy Hash: cf375e355bede0ad6af8038cc4fe5660d067ad8ada647368b8364498c04706b4
                                                        • Instruction Fuzzy Hash: 3721F27190CB4C8FDB58DF9C984A7E97BE0EBAA321F14416FD04DC3152D670A85ACB92
                                                        Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2224673736.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                                        Function 00007FF848F3414D Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2225088646.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
                                                        • Instruction ID: 57a882c3c36b4ef86db58168bb7f768dc5b33a0debb4b92ef8783dfd518108ae
                                                        • Opcode Fuzzy Hash: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
                                                        • Instruction Fuzzy Hash: 0EF09A32A0D9058FD75AFB4CE4008A873E0FF64360B1100BBE01DC71A3CB26EC508798
                                                        Function 00007FF848F34400 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2225088646.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
                                                        • Instruction ID: 65a0861757c9372eeaee605e7e7156e1c08991d50eafe922db5738b2186dd28c
                                                        • Opcode Fuzzy Hash: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
                                                        • Instruction Fuzzy Hash: 07F0BE31A0D5448FD754EB4CE4408A8B7F0FF54320B1100F7E009C70A3DB26EC608754
                                                        Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2225088646.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84
                                                        Function 00007FF848E6A2A9 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2224673736.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6644c5429c4d29acd38986cd0375e17aed78acca6194d760ae0c0fcfb0b43dfe
                                                        • Instruction ID: f89e2b223899065c96cbfd851aa18fa87c1c20454cca4c287ce010bc19af4c82
                                                        • Opcode Fuzzy Hash: 6644c5429c4d29acd38986cd0375e17aed78acca6194d760ae0c0fcfb0b43dfe
                                                        • Instruction Fuzzy Hash: 40E01A35908A4C8FDB58EF2898598EA7BA0FF68301B00429BE80DC7120DB719958CBC2

                                                        Non-executed Functions

                                                        Function 00007FF848E68BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2224673736.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^4$N_^7$N_^F$N_^J
                                                        • API String ID: 0-3508309026
                                                        • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                        • Instruction ID: f18af481f557b0c005d2f7b16879bad207cd7bf6b81cc1df4859641e2e7b9136
                                                        • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                        • Instruction Fuzzy Hash: 29213BF76494257ED3097BBCFC145E93B40EF942B4B4941B2D298CF143EA1470868AD6

                                                        Executed Functions

                                                        Function 00007FF848F46605 Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2329694146.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: X7R.
                                                        • API String ID: 0-1518483805
                                                        • Opcode ID: ccde8bc438f5942716fe2f2e0bcc5f0601c1634794562e8be3335687bec6c936
                                                        • Instruction ID: d53f00da91cea22ed7473a3ab5af10e11ab65f27fc8c71fd6019112c6adde392
                                                        • Opcode Fuzzy Hash: ccde8bc438f5942716fe2f2e0bcc5f0601c1634794562e8be3335687bec6c936
                                                        • Instruction Fuzzy Hash: 8FD12171D0EA8A5FF79AAB2858145B57BA0EF26B90F1801FFD04DDB0C3EE189805C755
                                                        Function 00007FF848D5E620 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2327973911.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848d5d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: t~^
                                                        • API String ID: 0-4197840031
                                                        • Opcode ID: 4e054fbc160d5c62fe3acd049f22a6fe8fd161dc9a932a99d396187d29e95d1f
                                                        • Instruction ID: 006ed06b9c77df553c7e79f5d917692647edd84b352f8072bb3e2238ad6e02f9
                                                        • Opcode Fuzzy Hash: 4e054fbc160d5c62fe3acd049f22a6fe8fd161dc9a932a99d396187d29e95d1f
                                                        • Instruction Fuzzy Hash: 9A41267180EBC44FE756AB389845A527FF0EF56360F1505DFD088CB1A3D625A84AC7A2
                                                        Function 00007FF848E79770 Relevance: .1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2328818414.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b4e4c54ca53cb249609472829b6e0a7f5097f571abf4d4ff6c6aca9134f08fe
                                                        • Instruction ID: 3c10994442518fe80cfb4ada8a738465c17e227528e74e790c2e0adefca06840
                                                        • Opcode Fuzzy Hash: 0b4e4c54ca53cb249609472829b6e0a7f5097f571abf4d4ff6c6aca9134f08fe
                                                        • Instruction Fuzzy Hash: D141283191CB888FDB19DF5CA8066B97BE1FB99310F00416FE449D3292DB74A806CBC6
                                                        Function 00007FF848E7A49C Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2328818414.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ff8a82499add07e891794f1c8d4a792de205ba9f4ddfcb2c0dbbf67574d129b0
                                                        • Instruction ID: cb25c5217ff3050497d7cf3834aff090b8d81d22b94cfc175df6f6bc496e9a89
                                                        • Opcode Fuzzy Hash: ff8a82499add07e891794f1c8d4a792de205ba9f4ddfcb2c0dbbf67574d129b0
                                                        • Instruction Fuzzy Hash: EB21F83190CB4C8FDB59DF6C984A7E97BE0EB96321F04426BD048C7152DA74A85ACB91
                                                        Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2328818414.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                        • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                        • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                        Function 00007FF848E7A0FB Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2328818414.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ca8279c2531f4d704aae0ebb8ec2ec448dc8699c70ac39e331f161a4a4eb17fc
                                                        • Instruction ID: 05ef9e839c2a5f3e418733509744db2f56715d2eb5d9ebac2c868a87fc432a39
                                                        • Opcode Fuzzy Hash: ca8279c2531f4d704aae0ebb8ec2ec448dc8699c70ac39e331f161a4a4eb17fc
                                                        • Instruction Fuzzy Hash: E2F0E97655DA8C4FCB45EF3CA8680E57FA0FFA6211B0502FBD548C7161EB718549C781
                                                        Function 00007FF848F44148 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2329694146.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac0d39a204ad4715e8d4b9eca3037917e4b8a2d06c86b7b2adc45226235c17af
                                                        • Instruction ID: a1d5e9032d02c25a3f017c48e054d5b535dd8df2fade6f06e9fcef471751ab15
                                                        • Opcode Fuzzy Hash: ac0d39a204ad4715e8d4b9eca3037917e4b8a2d06c86b7b2adc45226235c17af
                                                        • Instruction Fuzzy Hash: 53F09031A0D5458FE759EB1CE4009A477F0FFA53A4B1500B7E06DD71A3CB29EC518758
                                                        Function 00007FF848F443FB Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2329694146.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0000c085c84d8f7fd8b3c12c35596ca386a6dcb2d1bcf697d75af0271f21fbb2
                                                        • Instruction ID: 06b88d22946d397578e87a1aa7710fa22eb9a58bf0efd832684c7bf6a173fb41
                                                        • Opcode Fuzzy Hash: 0000c085c84d8f7fd8b3c12c35596ca386a6dcb2d1bcf697d75af0271f21fbb2
                                                        • Instruction Fuzzy Hash: 42F09A31A0D5458FEB94AB18A4409A8B7F0EF65764B1500F6E159D70A3DB2AAC608768
                                                        Function 00007FF848F441D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2329694146.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: d76d88544f8f17bf3ee0e6656c2ee5cd95f71ee8ab9b11c39950933bcc316587
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: 94E01A31B0C8088FDA69EB0CE0409A973E1FBB8365B1101B7D14EE75A1CB22EC518B84

                                                        Non-executed Functions

                                                        Function 00007FF848E78BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2328818414.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^4$M_^5$M_^@$M_^N$M_^U$M_^Y
                                                        • API String ID: 0-3990506085
                                                        • Opcode ID: 0f6c3e6c5954c76065486b9d972ee69299aecac023412943f1e424693a7cc32b
                                                        • Instruction ID: 943eb12912ab25a58ed955538c25d5900e323769fb1d036af40a3475b8f4445e
                                                        • Opcode Fuzzy Hash: 0f6c3e6c5954c76065486b9d972ee69299aecac023412943f1e424693a7cc32b
                                                        • Instruction Fuzzy Hash: 1C312BE7749929AEC209367CF8415F87740EF94376B8947F7D158CF043AE25208B8AD8

                                                        Executed Functions

                                                        Function 00007FF848F26605 Relevance: .4, Instructions: 436COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2498953455.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d8c0c691c2c5445532ae10f6f0f2108d37f97a5576a03d291f20c45fd236c769
                                                        • Instruction ID: 61b4c81f6943a77229c07a800c57b25493f1628ba4b49d2b9a4ad8679232c686
                                                        • Opcode Fuzzy Hash: d8c0c691c2c5445532ae10f6f0f2108d37f97a5576a03d291f20c45fd236c769
                                                        • Instruction Fuzzy Hash: 35D13471E1EA8A5FE79AAB2868145B57BA0EF16390F1801FED04DCB0D3EE1DAC05C355
                                                        Function 00007FF848E59EF3 Relevance: .3, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2497998769.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11fa5ca8610661b8af4bcf1ade64902a8082848c7353dfca921ee27302f92447
                                                        • Instruction ID: 5d23daab0194a5a810cf0a33b53ce3cfd3a7b3d2b40fa6a76adb9c16a6f9fa82
                                                        • Opcode Fuzzy Hash: 11fa5ca8610661b8af4bcf1ade64902a8082848c7353dfca921ee27302f92447
                                                        • Instruction Fuzzy Hash: 1581C9B290D9865FE70AFB6CE8A60F4B750FF51359F0800FAC54D4E093EE25289A8759
                                                        Function 00007FF848D3ED40 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2496976901.00007FF848D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D3D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848d3d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfc290c193389264eec6ddf03f216e1dc5884ee52c4b837a3d22fc0c5a5b5b17
                                                        • Instruction ID: dd5510eccd5a2c2e8c48c3190b22f3007d4cbd95f0a7d0a7a8989916f574b2c3
                                                        • Opcode Fuzzy Hash: dfc290c193389264eec6ddf03f216e1dc5884ee52c4b837a3d22fc0c5a5b5b17
                                                        • Instruction Fuzzy Hash: 9C410A3180EBC44FE7569B28A845A523FF0EF57260F1505DFD088CB5E7D625A84AC792
                                                        Function 00007FF848E59768 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2497998769.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42aa48d93aef3a9e445f5cb1c23dcd6eb9ccf45dea3f4e4707ba94591c958670
                                                        • Instruction ID: 91776aa52671d3258933a3cbed9f9a54e02320fc507ec9f4f92b4ae6cd6c669d
                                                        • Opcode Fuzzy Hash: 42aa48d93aef3a9e445f5cb1c23dcd6eb9ccf45dea3f4e4707ba94591c958670
                                                        • Instruction Fuzzy Hash: D031E77191CA488FDB5CEF5CA8066B9BBE0FB99710F00422FE44993252DB30A855CBC2
                                                        Function 00007FF848E5A47C Relevance: .1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2497998769.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c964d908db51b660ac5d049e9a0b844eccaf55efbd16d24689923aec419b04f
                                                        • Instruction ID: 3dbff507972a2aba996759d4af33cedc4d470815ab2cfafa9b9ad67cbdd84ab4
                                                        • Opcode Fuzzy Hash: 8c964d908db51b660ac5d049e9a0b844eccaf55efbd16d24689923aec419b04f
                                                        • Instruction Fuzzy Hash: F321287190CB4C8FDB59EBAC984A7E97FE0EB96320F04416BD048C3152DB749456CB92
                                                        Function 00007FF848E533B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2497998769.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                        • Instruction ID: 78ab6d498f6125abe5bebb0063a879210b55f36b9771897099adb0ca38aabd7b
                                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                        • Instruction Fuzzy Hash: B601677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3661DB36E882CB45
                                                        Function 00007FF848F24148 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2498953455.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 238f0104f66e3ed13ea4410dff27815139fd6adc425eab27abaec5c6a6d7f4ec
                                                        • Instruction ID: 05f5457eeee3d9ba7d768b572e697b2d455a144274c0ea40f239fdc863a231f9
                                                        • Opcode Fuzzy Hash: 238f0104f66e3ed13ea4410dff27815139fd6adc425eab27abaec5c6a6d7f4ec
                                                        • Instruction Fuzzy Hash: 8FF09A32A0C5458FE79AEB1CF4009A877F0FF65360B1500BAE06DC71A3CB2AEC518758
                                                        Function 00007FF848F243FB Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2498953455.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c3397adc021a2aae3d9ae6bc1dc3799f0069bc6c08feb0cf713ed7c7485cb2e
                                                        • Instruction ID: 2b33ac6f9d3aecfb0362cb29915657935ffda45f1aeed638c8275abcee4ad674
                                                        • Opcode Fuzzy Hash: 8c3397adc021a2aae3d9ae6bc1dc3799f0069bc6c08feb0cf713ed7c7485cb2e
                                                        • Instruction Fuzzy Hash: BFF09A31A0C5858FEB98AB18A4409A87BF0EF55360B1500F6E059CB0A3DB2AAC608768
                                                        Function 00007FF848F241D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2498953455.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848f20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: ac9ebeb00141d27f6d50404bc01976cee49d6fe075903218dafe9e0376012d07
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: 44E01A31B0C8088FEA69EB0CF0409A973E1FBA8361B1101B7D14EC75A1CB22EC518B84

                                                        Non-executed Functions

                                                        Function 00007FF848E58995 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2497998769.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^$O_^$O_^$O_^
                                                        • API String ID: 0-934926442
                                                        • Opcode ID: cd5cf5fe757414419d3f59bf8fcd5b0c884d300b899a177f0917b5aca0065258
                                                        • Instruction ID: 50868eb6e5f9c0735c7c1e69a00ef220e20764233ceb1050f6044406c39a7eec
                                                        • Opcode Fuzzy Hash: cd5cf5fe757414419d3f59bf8fcd5b0c884d300b899a177f0917b5aca0065258
                                                        • Instruction Fuzzy Hash: 9A41E6E390E6D25FE347976958650A6BFA0FF52394F0D04F7C48D8F093EE29680B9215
                                                        Function 00007FF848E58BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.2497998769.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ff848e50000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^4$O_^7$O_^F$O_^J
                                                        • API String ID: 0-875994666
                                                        • Opcode ID: 20e8c86c78f39619545557bfa8f1b31d7e97040b85d5d36bf3b4b000466823a0
                                                        • Instruction ID: f7bb8534e8d541326229c246a94494fb209dcbbb9a85dfa9e535371decb99541
                                                        • Opcode Fuzzy Hash: 20e8c86c78f39619545557bfa8f1b31d7e97040b85d5d36bf3b4b000466823a0
                                                        • Instruction Fuzzy Hash: 6E2149F7659425AED3093B7DF8045E93740DFD4272B4951B2D19E8F243EA1470878AE4

                                                        Executed Functions

                                                        Function 00007FF848E70DEE Relevance: .9, Instructions: 902COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10b1095541c4b6f6de959fadcc6a5a0eeace5c9c50cda1bc45028169272ebce5
                                                        • Instruction ID: 0535cb1be6a3b8b2d7934983ab42311fac56238a473bce669a33fbbfe710207c
                                                        • Opcode Fuzzy Hash: 10b1095541c4b6f6de959fadcc6a5a0eeace5c9c50cda1bc45028169272ebce5
                                                        • Instruction Fuzzy Hash: 81F13963A4DA966FD709B7BCB8511F97BA0EF412B5F0C41B7C088CA093DE18284687A5
                                                        Function 00007FF848E71609 Relevance: .8, Instructions: 803COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95eb5b0c5503e6b6a8629596bea3676244b0c1694b30a01ac703c4d7db54af0a
                                                        • Instruction ID: 13bd04f7077db4f83956af562ea5107e694bb086304d6dd420ccefbe51724629
                                                        • Opcode Fuzzy Hash: 95eb5b0c5503e6b6a8629596bea3676244b0c1694b30a01ac703c4d7db54af0a
                                                        • Instruction Fuzzy Hash: 1C42B230B2DA459FE798FB6884957B9B7D2FF98780F440579E00EC32C6DE39A8418B45
                                                        Function 00007FF848E720C9 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ef22e68d11dc643b6ca3c1ba026e87d85116216ecb80586bbe00e5ce6e70c3b
                                                        • Instruction ID: c508f966be940f78aa9ebf61daca220d753a63d73b1199f4e1dc875c6d9382e8
                                                        • Opcode Fuzzy Hash: 5ef22e68d11dc643b6ca3c1ba026e87d85116216ecb80586bbe00e5ce6e70c3b
                                                        • Instruction Fuzzy Hash: D8611F20A1E6C95FD797A7781824276BFE4EF97269F0800FBE0CAC61D7DE180806C356
                                                        Function 00007FF848E709FA Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :N_^
                                                        • API String ID: 0-1965447803
                                                        • Opcode ID: fb1f74b977b91bb5a82adc02fc5dbb959c9fdb19ba3b846888c35cf1a1740d86
                                                        • Instruction ID: 9f12d6006dba81ef23bd84b96e7850962cc05504d7407854e73ed6edde8ef04a
                                                        • Opcode Fuzzy Hash: fb1f74b977b91bb5a82adc02fc5dbb959c9fdb19ba3b846888c35cf1a1740d86
                                                        • Instruction Fuzzy Hash: 368107B6A8D92AAFD709B7ACF4511FDB790FF803A5F484176D109C7183CE2864458BA8
                                                        Function 00007FF848E711E5 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c2d45f59236066a0f6fa0cb127df3f669bfc3e7a2fed7468943093fb535c3994
                                                        • Instruction ID: 9ff9e7fb29e3fe98027b1cfdaff472b477a0eb6b7b2b8250f5c2278035b2ff56
                                                        • Opcode Fuzzy Hash: c2d45f59236066a0f6fa0cb127df3f669bfc3e7a2fed7468943093fb535c3994
                                                        • Instruction Fuzzy Hash: 0341C672E0DA8A5FD749F7ACA8611F97BB0FF41295F4840B7C049DB193DF2818098794
                                                        Function 00007FF848E71250 Relevance: .4, Instructions: 427COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c887be0f44e282e3c95c0c0d4a1c95109f19507759d7478613c95b7c22b4f40
                                                        • Instruction ID: 13b9daee039a823e423f14795e353b50ae4df8853462a73278a1df86920c0cf4
                                                        • Opcode Fuzzy Hash: 5c887be0f44e282e3c95c0c0d4a1c95109f19507759d7478613c95b7c22b4f40
                                                        • Instruction Fuzzy Hash: 7831D332E0CA8E8FE748E7A898661FDBBB1FF55291F4401B6C00AD72D2DF3918098355
                                                        Function 00007FF848E70620 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f05676cd96313f74f60337f2a6f239db09198dccd1f118c76c64b3d82a6416c7
                                                        • Instruction ID: 4bd8d3b55176cfd90b44a13b7b0be744dae751dca91e7f99a7504cdc169bbff0
                                                        • Opcode Fuzzy Hash: f05676cd96313f74f60337f2a6f239db09198dccd1f118c76c64b3d82a6416c7
                                                        • Instruction Fuzzy Hash: 6031E020B1D9495FE798EB2C985A379A6C2FF98791F0401BAE00EC32D7DE689C018341
                                                        Function 00007FF848E70C89 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 879b6309b18ba04bf8095c4b2d40ff84a881b199a8758a90e7daf67aaa843c6f
                                                        • Instruction ID: 77a6e6a4dbf30b1265e488416025f5ecb330ea77d1d62acf8b48b294b73fda69
                                                        • Opcode Fuzzy Hash: 879b6309b18ba04bf8095c4b2d40ff84a881b199a8758a90e7daf67aaa843c6f
                                                        • Instruction Fuzzy Hash: C921C461E1CE85AFE788B7B858193B9BBD2FF94790F18417AE40DC32C3DE6898414752
                                                        Function 00007FF848E722C1 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 517c9df48962a791fbdf07a41864c0a19c1937285188b7d92ca94b44a7036c0d
                                                        • Instruction ID: 2ac780a6ac2bf56008127955f00ab759db8c7d2828d2239b028cffabfecd3ad0
                                                        • Opcode Fuzzy Hash: 517c9df48962a791fbdf07a41864c0a19c1937285188b7d92ca94b44a7036c0d
                                                        • Instruction Fuzzy Hash: 52014764D1D7C58FE789BB3858550763FE0EF923D1F4805BAD88AC71D7EE2899808345
                                                        Function 00007FF848E70D67 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2661270086.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cb0940f2450d40f11950af490fb8cc5e2bfc93d1aa307a4ba8aad24b515e228
                                                        • Instruction ID: b4f13460432597b2e1707635e92f27457febe62e543c14d3eaba01e2ecbcf0f6
                                                        • Opcode Fuzzy Hash: 6cb0940f2450d40f11950af490fb8cc5e2bfc93d1aa307a4ba8aad24b515e228
                                                        • Instruction Fuzzy Hash: 35E06D21B18D1D5FEF84FBAC94453FCA2D1EB8C652F500177D50DD3286CE2858018791

                                                        Executed Functions

                                                        Function 00007FF848E70DEE Relevance: .9, Instructions: 902COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 20086867fc81e370273310742d869b7b46f8d1d2c88296f2198432a6a58417aa
                                                        • Instruction ID: 76c3e5c7990164b820bb6fb0da45063bc5aeda9ec92db23e334b2f42961f2e03
                                                        • Opcode Fuzzy Hash: 20086867fc81e370273310742d869b7b46f8d1d2c88296f2198432a6a58417aa
                                                        • Instruction Fuzzy Hash: 0FF13963A4DA966FD709B7BCB8551F97BA0EF412B5F0C41B7C088CA093DE18284687A5
                                                        Function 00007FF848E71609 Relevance: .8, Instructions: 803COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d73c6babdb6a3394d45229eef9dbd52c652d6fcb5f296df6a501c05b9e864a4c
                                                        • Instruction ID: 88f486da5b2d4107b6e9e7a5beedd97cfe419c18a159e74a854777e726a7038e
                                                        • Opcode Fuzzy Hash: d73c6babdb6a3394d45229eef9dbd52c652d6fcb5f296df6a501c05b9e864a4c
                                                        • Instruction Fuzzy Hash: 0442C220B2CA495FE798FB2884597B9B7D2FF88780F440579E40EC32C6DF38A8458756
                                                        Function 00007FF848E720C9 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 853166530fee5e6dd54237584c4f5e29bcd025e96ecec50ea2729278aa38780a
                                                        • Instruction ID: de002006a09c5bc5a53f28e2e28a168809c760a10ca871d4b48dec9fdff370e3
                                                        • Opcode Fuzzy Hash: 853166530fee5e6dd54237584c4f5e29bcd025e96ecec50ea2729278aa38780a
                                                        • Instruction Fuzzy Hash: E2610020A5E6C95FD797A7781824276BFE4EF57269F0800FBE0CAC61D7DE180846C356
                                                        Function 00007FF848E709FA Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :N_^
                                                        • API String ID: 0-1965447803
                                                        • Opcode ID: d5d1e2a32a39be05c97f24656ec5efad4d5aaab5a5b7ce7a83770c7b3de9aed7
                                                        • Instruction ID: 48378190ed18fd7a50d2ac02f5b08b94739abb3779159286069dcac36ac86d67
                                                        • Opcode Fuzzy Hash: d5d1e2a32a39be05c97f24656ec5efad4d5aaab5a5b7ce7a83770c7b3de9aed7
                                                        • Instruction Fuzzy Hash: E081E7B6A8D92A6FE709B7ACF4511FDB790FF843A5F484176D108C7183CF2864458BA8
                                                        Function 00007FF848E711E5 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b73a46ffcc73159f41b06b10896b45e1b49c0aaa40e9edf167d3bb88f292c3cc
                                                        • Instruction ID: ae418fda1de12fd3ea7a7fcfb6ef2a85fde87e5acc051f8e33bae5e60bca0c61
                                                        • Opcode Fuzzy Hash: b73a46ffcc73159f41b06b10896b45e1b49c0aaa40e9edf167d3bb88f292c3cc
                                                        • Instruction Fuzzy Hash: 7641E672E0DA8A5FD749F7ACA8611FD7BB0FF41290F0840B7C049DB193DE28180A8794
                                                        Function 00007FF848E71250 Relevance: .4, Instructions: 427COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9b549c312cc8f24393b6ee16d25e75fd2bf3be7bce7e7f46e58da37fe6410b28
                                                        • Instruction ID: 0a2392d416470f4a4ef566c63fe676747e5683e37c8e70fd7a4540aaf98ef1cf
                                                        • Opcode Fuzzy Hash: 9b549c312cc8f24393b6ee16d25e75fd2bf3be7bce7e7f46e58da37fe6410b28
                                                        • Instruction Fuzzy Hash: 7731D132E0CA8E4FE748E7A898651FDBBB1FF95291F4401B6C00AD72D2DF39190A8355
                                                        Function 00007FF848E70620 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 263b22316163a66a283f99224632a6757e60177853f91023953b0c7ece7ba040
                                                        • Instruction ID: 11cc5671ae1e37a1e7d179dbc842a47d2a84a48ce9e9296ec5db7d740382b240
                                                        • Opcode Fuzzy Hash: 263b22316163a66a283f99224632a6757e60177853f91023953b0c7ece7ba040
                                                        • Instruction Fuzzy Hash: 4431E020B1D9495FE798EB2C985A379B6C2FF98791F0401BAE00EC32D7DE689C018341
                                                        Function 00007FF848E70C89 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 879b6309b18ba04bf8095c4b2d40ff84a881b199a8758a90e7daf67aaa843c6f
                                                        • Instruction ID: 77a6e6a4dbf30b1265e488416025f5ecb330ea77d1d62acf8b48b294b73fda69
                                                        • Opcode Fuzzy Hash: 879b6309b18ba04bf8095c4b2d40ff84a881b199a8758a90e7daf67aaa843c6f
                                                        • Instruction Fuzzy Hash: C921C461E1CE85AFE788B7B858193B9BBD2FF94790F18417AE40DC32C3DE6898414752
                                                        Function 00007FF848E722C1 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 526d01dbb11aaaa4931cd8e6a3cd35e1e2178f7445a4b1d1b565c502f7b15169
                                                        • Instruction ID: 8f5057b655cb00432f315dc65595ec18678445df94f20861937d4125cc112949
                                                        • Opcode Fuzzy Hash: 526d01dbb11aaaa4931cd8e6a3cd35e1e2178f7445a4b1d1b565c502f7b15169
                                                        • Instruction Fuzzy Hash: EF019764D0CBC54FE341B73848290753FE0EF923C0F0805BAD8C9C719BEE2899848345
                                                        Function 00007FF848E70D67 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.2716898398.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_7ff848e70000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cb0940f2450d40f11950af490fb8cc5e2bfc93d1aa307a4ba8aad24b515e228
                                                        • Instruction ID: b4f13460432597b2e1707635e92f27457febe62e543c14d3eaba01e2ecbcf0f6
                                                        • Opcode Fuzzy Hash: 6cb0940f2450d40f11950af490fb8cc5e2bfc93d1aa307a4ba8aad24b515e228
                                                        • Instruction Fuzzy Hash: 35E06D21B18D1D5FEF84FBAC94453FCA2D1EB8C652F500177D50DD3286CE2858018791

                                                        Executed Functions

                                                        Function 00007FF848E61609 Relevance: 3.3, Strings: 2, Instructions: 803COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: cAO_^$sAO_^
                                                        • API String ID: 0-2810605267
                                                        • Opcode ID: d1ccd764cb02d2bee60037958d39309b7a206c9e1c4d47ef013db2ffe7dd824f
                                                        • Instruction ID: a8a217e5c655a0f3153309df81b11cd6376730fe140ac2b763de014b6039d1e2
                                                        • Opcode Fuzzy Hash: d1ccd764cb02d2bee60037958d39309b7a206c9e1c4d47ef013db2ffe7dd824f
                                                        • Instruction Fuzzy Hash: 0242C030A2DE5A5FE798FB2884657B9B7D2FF88780F440479E40ED32C6DE38A8418745
                                                        Function 00007FF848E60DEE Relevance: .9, Instructions: 902COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 54f63c75f939d0b0b98fe6bf504b2afc9c6d781d1d650d86534828f35c5acdb1
                                                        • Instruction ID: 8c66fd09de53896b4529c8860ecf395decf134b3f0c229dc170774d2a5f9301c
                                                        • Opcode Fuzzy Hash: 54f63c75f939d0b0b98fe6bf504b2afc9c6d781d1d650d86534828f35c5acdb1
                                                        • Instruction Fuzzy Hash: 58F13A63A4DA566EE709B77CB4511F97BA0FF812B5F0C41B7D08CCB093DE18284A87A5
                                                        Function 00007FF848E620C9 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 715c3db05bebb33d03c68b33b49f13755375afcb2c17651e3ed506b1c8bbc03b
                                                        • Instruction ID: 276f2a7fa6b012b7384f741a6e87f3516337e369ef34bb8cb1d480450bc26f9c
                                                        • Opcode Fuzzy Hash: 715c3db05bebb33d03c68b33b49f13755375afcb2c17651e3ed506b1c8bbc03b
                                                        • Instruction Fuzzy Hash: 45610F20A1E6C95FD797A7381824276BFE4EF87269F0804FBE0C9C61D7DE18184AC356
                                                        Function 00007FF848E609FA Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :O_^
                                                        • API String ID: 0-1961111628
                                                        • Opcode ID: 5ef13ac96f21b081a9a13645cc0a491c8a7cb88c0f95b68235c8676a17410311
                                                        • Instruction ID: e67be71a5dc5f023ab8e7e3afd32d797632fd9fc7e09ab244159b706972efcfa
                                                        • Opcode Fuzzy Hash: 5ef13ac96f21b081a9a13645cc0a491c8a7cb88c0f95b68235c8676a17410311
                                                        • Instruction Fuzzy Hash: 0781F8B6A8D92A6ED708B76CF4515FC7760FF803A5F484576D108DB183CF2874458BA8
                                                        Function 00007FF848E611E5 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c45d68cb14f437bb0d02bbde5a9a2d919078b82622d6c7f42f909e992920dd5
                                                        • Instruction ID: a6005585a2cb2b732ef4b4d148d32ad21eed76906937248928100c9d93511073
                                                        • Opcode Fuzzy Hash: 6c45d68cb14f437bb0d02bbde5a9a2d919078b82622d6c7f42f909e992920dd5
                                                        • Instruction Fuzzy Hash: BE41D532E0EA9A5FD74AF76CA8611F97BB0FF85294F4840B7C049DB193DE2828498754
                                                        Function 00007FF848E61250 Relevance: .4, Instructions: 427COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ff9f8afcd74490e4f543c5d892271a34ef9ecc9bc9b14ba31aeeab2c9d8b2e77
                                                        • Instruction ID: b2e9533c5ccb8ff5137adc3f9c5392ec14505ac5eb0071e1f200546086f51c5f
                                                        • Opcode Fuzzy Hash: ff9f8afcd74490e4f543c5d892271a34ef9ecc9bc9b14ba31aeeab2c9d8b2e77
                                                        • Instruction Fuzzy Hash: 7431E732E0DA8E4FDB45E76898611FE7BB1FF85280F8401B7C00AE7197DE3928498355
                                                        Function 00007FF848E60620 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 50aec4900a322502c570841b55a8f3d9bcb0680bb4b2ec95c1a7fc939ea35005
                                                        • Instruction ID: 87da0f35d8b44b714171521b800c6d391ed9a71f1785bfa602f07208689feb14
                                                        • Opcode Fuzzy Hash: 50aec4900a322502c570841b55a8f3d9bcb0680bb4b2ec95c1a7fc939ea35005
                                                        • Instruction Fuzzy Hash: 0731F220B1D94D5FE798EB2C946A379B6C2EF98751F0405BAE00EC32D7DE28AC418341
                                                        Function 00007FF848E60C89 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 037cb5379c6d03e7dea1b97240fde3ae106d9197ddc64adf231a39e4942053b5
                                                        • Instruction ID: 812e40a8e5ab10bbbfe606832dd172acc6342fb551e7459fa247e28e78debd67
                                                        • Opcode Fuzzy Hash: 037cb5379c6d03e7dea1b97240fde3ae106d9197ddc64adf231a39e4942053b5
                                                        • Instruction Fuzzy Hash: 4C21E521E1CE95AFE748B678581A379AAD1FF94750F184276E40CD32C3DE28AC454751
                                                        Function 00007FF848E622C1 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae8dd1222bf675a9403e5432d4b94624750ecc1f20a500276b664273588f385d
                                                        • Instruction ID: ca386981c5d2bd67846aa775e1358de02476dfbda85da35458fe5962f6733a0b
                                                        • Opcode Fuzzy Hash: ae8dd1222bf675a9403e5432d4b94624750ecc1f20a500276b664273588f385d
                                                        • Instruction Fuzzy Hash: BD019C6480C7864FE345BB3848290753FE0EFA23C1F8808BAD8C8D7197DA24A9808345
                                                        Function 00007FF848E60D67 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2743647465.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ff848e60000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d98302a27f5799ef41330245744cd46dbe5501ea7a5a8e5ce63375624433196a
                                                        • Instruction ID: e63618d4828074dd2f62c92ae8c55a4aac465ffcf050d3f34a8a670ef19cdbca
                                                        • Opcode Fuzzy Hash: d98302a27f5799ef41330245744cd46dbe5501ea7a5a8e5ce63375624433196a
                                                        • Instruction Fuzzy Hash: 5DE06D21B18D1D5EEF84FBAC94453FCA2D2EBCC652F500177D50DD3286CE2858418791

                                                        Executed Functions

                                                        Function 00007FF848E90DEE Relevance: .9, Instructions: 896COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0919720cecb5ec166030d76df2461f0504acdc8b8dd5f630985a020b25a184cf
                                                        • Instruction ID: fe7c08f40dc83ef2fa14d57e9843d6b3e7e118a6bfa665cd994686a13f2fa390
                                                        • Opcode Fuzzy Hash: 0919720cecb5ec166030d76df2461f0504acdc8b8dd5f630985a020b25a184cf
                                                        • Instruction Fuzzy Hash: 6EF14D63A4DA562ED709B7BCB4521F93BA0FF423A4F0C41B7D08CCB193DE18644687A9
                                                        Function 00007FF848E91609 Relevance: .8, Instructions: 803COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da9ce3c2a0d006f618c1bfe4c4e3a136979babfab32e026fd2094932d9b1c7ca
                                                        • Instruction ID: 1f4ee32cabdc6264b7aaf4e8829c1d30fc8c233e4299c0f61e088e8bb90f844b
                                                        • Opcode Fuzzy Hash: da9ce3c2a0d006f618c1bfe4c4e3a136979babfab32e026fd2094932d9b1c7ca
                                                        • Instruction Fuzzy Hash: 9E42DF20B2CA499FE798FB6C8455779B7D2FF98780F580479E00EC32C2DE39A8428745
                                                        Function 00007FF848E920C9 Relevance: .2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b4158ff312ac7557190900fde24b700e906b8c21c644c0c85724b30aef179fd
                                                        • Instruction ID: e936b903d08d5c50da0126de7911227a399534e6836f2ee45254359029f52610
                                                        • Opcode Fuzzy Hash: 0b4158ff312ac7557190900fde24b700e906b8c21c644c0c85724b30aef179fd
                                                        • Instruction Fuzzy Hash: D8611110A5E6C95FDB97A7B81824276BFE4EF47269F0800FBE0D9C61D3EE580816C356
                                                        Function 00007FF848E909FA Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :L_^
                                                        • API String ID: 0-1990364693
                                                        • Opcode ID: 909d71b5401fc7ef7f84a6bf1472b020d3d15d053f19ef5925d5e354dff9c511
                                                        • Instruction ID: edf2cdcd7b7ece60ceda752b46eeec45bcc1b5980788f2564724ee2cab337d9f
                                                        • Opcode Fuzzy Hash: 909d71b5401fc7ef7f84a6bf1472b020d3d15d053f19ef5925d5e354dff9c511
                                                        • Instruction Fuzzy Hash: 4C8129B6B8D9166ED709B7ACF4521FD77A0FF803A5F584136C108C7193CF29A4468BA4
                                                        Function 00007FF848E911E5 Relevance: .5, Instructions: 469COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 000eb0e5e39e2f7874dabd1c1bea7ab85c165d5608169c7fed4ddc79e5e1d273
                                                        • Instruction ID: 7cbe7b886151a35bb134b787f14b4db35f5e60f09f973075c62ac56fd2f961fb
                                                        • Opcode Fuzzy Hash: 000eb0e5e39e2f7874dabd1c1bea7ab85c165d5608169c7fed4ddc79e5e1d273
                                                        • Instruction Fuzzy Hash: BA41E672E0EA8A5FD745F7ACA8610F97BB0FF42294F0840B7C049C71A3DE29180A8795
                                                        Function 00007FF848E91250 Relevance: .4, Instructions: 427COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a503cf0b2bc819378ca6db4931ce6822ff47444f5db38c58b4c2f6e5ff110fdb
                                                        • Instruction ID: 11d66e529dc390ffb53a96024a2167da73de1f5825ccfc2d9f404d3eb5bf10e7
                                                        • Opcode Fuzzy Hash: a503cf0b2bc819378ca6db4931ce6822ff47444f5db38c58b4c2f6e5ff110fdb
                                                        • Instruction Fuzzy Hash: 0231D132E0D98A5FE745EBA898651FD7BB1FF95280F4801B7C00AD72A2DE3918068755
                                                        Function 00007FF848E90620 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a53578b37e3fc1e67e7e9068e1cc8426f350ed1f186f83631703591b6420538
                                                        • Instruction ID: 12788da8915e3b8ca91569991a50d30f4bcf5bdbf0aa49b8d0a3084b9b7d0417
                                                        • Opcode Fuzzy Hash: 6a53578b37e3fc1e67e7e9068e1cc8426f350ed1f186f83631703591b6420538
                                                        • Instruction Fuzzy Hash: 1E31D320B1D94D5FE798EB2C945A779B7C2EF98755F0405BAE00EC32D7DE689C028345
                                                        Function 00007FF848E90C89 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1ef0af85aed17a255975ea1ce2c5e4b5dbcce3a8424da7e4021afb8ed909a3b8
                                                        • Instruction ID: f2c7a4bc15756d30de17b5ecd0de0d3f68dcd021f29d5e66cca052c691724d25
                                                        • Opcode Fuzzy Hash: 1ef0af85aed17a255975ea1ce2c5e4b5dbcce3a8424da7e4021afb8ed909a3b8
                                                        • Instruction Fuzzy Hash: D021F721E1CE455FE748B7B858193B9B7D1FF54750F184276E40CC32C3DE2898418752
                                                        Function 00007FF848E922C1 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d9c2d659f7a2e7116d307c6bd99790c239d3b062264f7eb307ba158175abd39
                                                        • Instruction ID: dbf8545def31a225e7501e49a885be19a550bcf1c2322888435444e53d14de77
                                                        • Opcode Fuzzy Hash: 8d9c2d659f7a2e7116d307c6bd99790c239d3b062264f7eb307ba158175abd39
                                                        • Instruction Fuzzy Hash: D401CB60C0CBC58FE745B73C58150753FF0EF92384F0804BAD4D8CB197EA2498858385
                                                        Function 00007FF848E90D67 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3308948211.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7ff848e90000_NJRAT DANGEROUS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 208908c075a1c821a474c47f807e7ed1f9a9d5d28fe963686381ad0088dbde54
                                                        • Instruction ID: acdf4e853f4d168fcc4b3507230607e99cc4ac45129a8f376679fc92a13ef421
                                                        • Opcode Fuzzy Hash: 208908c075a1c821a474c47f807e7ed1f9a9d5d28fe963686381ad0088dbde54
                                                        • Instruction Fuzzy Hash: ECE06D21B18D1D5EEF84FBAC94452FCB2D1EB8C652F500177D50DD3286CE2858018791