Windows Analysis Report 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Machine Learning detection for sample

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Uses insecure TLS / SSL version for HTTPS connection

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49756 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:63959 version: TLS 1.2

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

May infect USB drives

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Binary or memory string: autorun.inf
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Binary or memory string: [autorun]

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:63957 -> 1.1.1.1:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49756 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_179.4.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_179.4.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_161.4.dr, chromecache_159.4.dr	String found in binary or memory: https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad
Source: chromecache_161.4.dr, chromecache_159.4.dr	String found in binary or memory: https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_179.4.dr, chromecache_154.4.dr, chromecache_188.4.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_179.4.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_179.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_179.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_187.4.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/$
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_179.4.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_187.4.dr	String found in binary or memory: https://schema.org
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:63959 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

System Summary

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@30/67@12/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe "C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe"
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

.NET source code contains potential unpacker

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: u

PE file contains sections with non-standard names

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: section name: u

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: section name: u entropy: 6.933656811505602

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000002.2144372870.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000002.2144372870.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.100	unknown	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true
www.google.com	142.250.185.132	true
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true
js.monitor.azure.com	unknown	unknown
mdec.nelreports.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	false	Avira URL Cloud: safe	unknown

AV Detection

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "8.tcp.ngrok.io", "Port": "10489", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "Server.exe", "Install Dir": "AppData"}

Multi AV Scanner detection for submitted file

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

ReversingLabs: Detection: 97%

Machine Learning detection for sample

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Uses insecure TLS / SSL version for HTTPS connection

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49756 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:63959 version: TLS 1.2

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

May infect USB drives

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Binary or memory string: autorun.inf
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Binary or memory string: [autorun]

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.5:63957 -> 1.1.1.1:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49756 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_179.4.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_179.4.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_161.4.dr, chromecache_159.4.dr	String found in binary or memory: https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad
Source: chromecache_161.4.dr, chromecache_159.4.dr	String found in binary or memory: https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_179.4.dr, chromecache_154.4.dr, chromecache_188.4.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_179.4.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_179.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_179.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_187.4.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/$
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_179.4.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_187.4.dr	String found in binary or memory: https://schema.org
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:63959 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

System Summary

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@30/67@12/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe "C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe"
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

.NET source code contains potential unpacker

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: u

PE file contains sections with non-standard names

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: section name: u

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: section name: u entropy: 6.933656811505602

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000002.2144372870.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000002.2144372870.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Remote Access Functionality