I used any.run Sanbox

I also used several post and Pre infection analysis techniques such as Network Capture using Wireshark and Memory Analysis Dump using Volatility

NJRAT (Check for parent process)

Creates files or folders in the user directory Reads Environment values Reads the machine GUID from the registry The process checks LSA protection Reads the computer name Checks supported languages

Usage of usual port

start cmd.exe

DCRAT (Check for parent process)

Creates files or folders in the user directory Reads Environment values Reads the machine GUID from the registry The process checks LSA protection Reads the computer name Checks supported languages

Arkei RAT(Check for parent process)

The process checks LSA protection Creates files or folders in the user directory Drops the executable file immediately after the start Drops a file that was compiled in debug mode

Ethernal Stealer

Reads CPU info Reads the machine GUID from the registry The process checks LSA protection Reads Environment values Reads the computer name Checks supported languages Reads settings of System Certificates Reads browser cookies