Edit tour

Windows Analysis Report
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Overview

General Information

Sample name:	7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe
Analysis ID:	1480419
MD5:	1a4ac0f78511c028b51e0b302b080946
SHA1:	cf5d9e076aabb18759dfeabf59f4328f3fe30088
SHA256:	d59c7ccf805724c5a8704e0ed9e457bfe33b61e150d646c1da2703e30c22da9e
Tags:	exe
Infos:

Detection

Njrat

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

PE file contains sections with non-standard names

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe" MD5: 1A4AC0F78511C028B51E0B302B080946)

chrome.exe (PID: 4040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2820 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7760 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "8.tcp.ngrok.io", "Port": "10489", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "Server.exe", "Install Dir": "AppData"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7cfa:$a3: Download ERROR 0x7fec:$a5: netsh firewall delete allowedprogram "
00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ee2:$a1: netsh firewall add allowedprogram 0x80dc:$b1: [TAP] 0x8082:$b2: & exit 0x804e:$c1: md.exe /k ping 0 & del
Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "8.tcp.ngrok.io", "Port": "10489", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "Server.exe", "Install Dir": "AppData"}

Multi AV Scanner detection for submitted file

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

ReversingLabs: Detection: 97%

Yara detected Njrat

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Machine Learning detection for sample

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49756 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:63959 version: TLS 1.2

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Binary or memory string: autorun.inf
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Binary or memory string: [autorun]

Source: global traffic

TCP traffic: 192.168.2.5:63957 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49756 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_179.4.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_179.4.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_161.4.dr, chromecache_159.4.dr	String found in binary or memory: https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad
Source: chromecache_161.4.dr, chromecache_159.4.dr	String found in binary or memory: https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_179.4.dr, chromecache_154.4.dr, chromecache_188.4.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_179.4.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_179.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_179.4.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_187.4.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/$
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_179.4.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_179.4.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_187.4.dr	String found in binary or memory: https://schema.org
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_180.4.dr, chromecache_187.4.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:63959 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@30/67@12/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe "C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe"
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,637461877397389753,4389975086437105104,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, OK.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: initial sample

Static PE information: section where entry point is pointing to: u

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: section name: u

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Static PE information: section name: u entropy: 6.933656811505602

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000002.2144372870.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, 00000000.00000002.2144372870.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe PID: 5352, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	97%	ReversingLabs	Win32.Virus.Jadtre
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	100%	Avira	W32/Jadtre.B
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	100%	Joe Sandbox ML

URLs

Source	Detection	Scanner	Label
http://polymer.github.io/PATENTS.txt	0%	URL Reputation	safe
https://schema.org	0%	URL Reputation	safe
http://polymer.github.io/LICENSE.txt	0%	URL Reputation	safe
http://polymer.github.io/AUTHORS.txt	0%	URL Reputation	safe
https://aka.ms/yourcaliforniaprivacychoices	0%	URL Reputation	safe
http://schema.org/Organization	0%	URL Reputation	safe
http://polymer.github.io/CONTRIBUTORS.txt	0%	URL Reputation	safe
https://client-api.arkoselabs.com/v2/api.js	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	0%	Avira URL Cloud	safe
https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	0%	Avira URL Cloud	safe
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	0%	Avira URL Cloud	safe
https://aka.ms/certhelp	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	0%	Avira URL Cloud	safe
https://github.com/Thraka	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	0%	Avira URL Cloud	safe
https://www.linkedin.com/cws/share?url=$	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	0%	Avira URL Cloud	safe
https://github.com/nschonni	0%	Avira URL Cloud	safe
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	0%	Avira URL Cloud	safe
https://github.com/mairaw	0%	Avira URL Cloud	safe
https://management.azure.com/subscriptions?api-version=2016-06-01	0%	Avira URL Cloud	safe
https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad	0%	Avira URL Cloud	safe
https://github.com/Youssef1313	0%	Avira URL Cloud	safe
https://aka.ms/ContentUserFeedback	0%	Avira URL Cloud	safe
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	0%	Avira URL Cloud	safe
https://github.com/adegeo	0%	Avira URL Cloud	safe
https://github.com/jonschlinkert/is-plain-object	0%	Avira URL Cloud	safe
https://aka.ms/pshelpmechoose	0%	Avira URL Cloud	safe
https://github.com/$	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	0%	Avira URL Cloud	safe
https://github.com/js-cookie/js-cookie	0%	Avira URL Cloud	safe
https://aka.ms/feedback/report?space=61	0%	Avira URL Cloud	safe
https://octokit.github.io/rest.js/#throttling	0%	Avira URL Cloud	safe
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/vod/player	0%	Avira URL Cloud	safe
https://twitter.com/intent/tweet?original_referer=$	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/	0%	Avira URL Cloud	safe
https://github.com/gewarren	0%	Avira URL Cloud	safe
https://channel9.msdn.com/	0%	Avira URL Cloud	safe
https://github.com/dotnet/try	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true	false	unknown
www.google.com	142.250.185.132	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
js.monitor.azure.com	unknown	unknown	true	unknown
mdec.nelreports.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://client-api.arkoselabs.com/v2/api.js	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/Thraka	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/issues	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/PATENTS.txt	chromecache_180.4.dr, chromecache_187.4.dr	false	URL Reputation: safe	unknown
https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl	chromecache_161.4.dr, chromecache_159.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/certhelp	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://www.linkedin.com/cws/share?url=$	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/ContentUserFeedback	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mairaw	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://schema.org	chromecache_187.4.dr	false	URL Reputation: safe	unknown
http://polymer.github.io/LICENSE.txt	chromecache_180.4.dr, chromecache_187.4.dr	false	URL Reputation: safe	unknown
https://github.com/Youssef1313	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/AUTHORS.txt	chromecache_180.4.dr, chromecache_187.4.dr	false	URL Reputation: safe	unknown
https://aka.ms/yourcaliforniaprivacychoices	chromecache_179.4.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/nschonni	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad	chromecache_161.4.dr, chromecache_159.4.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe	false	Avira URL Cloud: safe	unknown
https://github.com/adegeo	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/pshelpmechoose	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/feedback/report?space=61	chromecache_179.4.dr, chromecache_154.4.dr, chromecache_188.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/jonschlinkert/is-plain-object	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://octokit.github.io/rest.js/#throttling	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/js-cookie/js-cookie	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://learn-video.azurefd.net/vod/player	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://twitter.com/intent/tweet?original_referer=$	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/$	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/gewarren	chromecache_179.4.dr	false	Avira URL Cloud: safe	unknown
http://schema.org/Organization	chromecache_179.4.dr	false	URL Reputation: safe	unknown
http://polymer.github.io/CONTRIBUTORS.txt	chromecache_180.4.dr, chromecache_187.4.dr	false	URL Reputation: safe	unknown
https://channel9.msdn.com/	chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://learn-video.azurefd.net/	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/try	chromecache_180.4.dr, chromecache_187.4.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.100	unknown	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480419
Start date and time:	2024-07-24 18:52:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@30/67@12/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 142.250.185.163, 74.125.133.84, 142.250.185.238, 95.101.150.2, 34.104.35.123, 199.232.214.172, 192.229.221.95, 142.250.185.170, 216.58.206.74, 216.58.212.138, 142.250.185.234, 142.250.184.202, 142.250.185.74, 142.250.186.138, 142.250.185.106, 216.58.206.42, 172.217.16.138, 142.250.186.74, 142.250.186.42, 142.250.185.202, 142.250.186.170, 172.217.18.106, 142.250.181.234, 2.19.126.137, 2.19.126.156, 20.189.173.18, 13.74.129.1, 204.79.197.237, 13.107.21.237, 52.182.141.63, 142.250.181.227, 216.58.206.46
Excluded domains from analysis (whitelisted): aijscdn2.afd.azureedge.net, slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, onedscolprdwus15.westus.cloudapp.azure.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, c-bing-com.dual-a-0034.a-msedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, aijscdn2.azureedge.net, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, dual-a-0034.a-msedge.net, clients.l.google.com, c1.microsoft.com, wcpstatic.micr
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Perplexity: mixtral-8x7b-instruct

{"loginform": false,"urgency": false,"captcha": false,"reasons": ["The webpage does not contain a login form, as there is no explicit request for sensitive information such as passwords, email addresses, usernames, phone numbers, or credit card numbers.","The text of the webpage does not create a sense of urgency, as there are no phrases that encourage immediate action such as 'Click here to view document' or 'To view secured document click here'.","The webpage does not contain a CAPTCHA or any other anti-robot detection mechanism."]}

Title: Fix .NET Framework 'This application could not be started' - .NET Framework | Microsoft Learn OCR: Learn Q Sign in Discover v Product documentation Development languages v Topics v .NET Languages Features v Workloads Troubleshooting Resources v Download .NET APIs v Filter by title .NET / .NET Framework / Learn / .NET Framework documentation "This application could not be Overview of .NET Framework started" error when running a .NET Get started v Installation guide Framework application Overview For developers Article  02/16/2023  6 contributors Feedback > By OS version Repair .NET framework In this article v TroubleshcHJt How to fix the error Troubleshoot install end uninstall See also Troubleshoot 'This application could not started' When you attempt to run a .NET Framework application, you may receive the "This .NET Framework 3.5 on Windows 8 application could not be started" error message. When this error is caused by an installed through Windows 11 version of .NET Framework not being detected, or by .NET Framework being corrupted, use this article to try to solve that problem. .NET Framework 1.1 on Windows 8 through Windows 11 mt.exe - This application could not be started. > Migration guide Development guide This application could not be started, > Tools Do you want to view information about this issue? > Additional APIs > What's new and obsolete Code analysis Yes No Download PDF

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.42	https://protect-us.mimecast.com/s/FVibCzpzxLsxEMXAhgAOBC	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
	http://border-fd.smartertechnologies.com/	Get hash	malicious	Unknown	Browse	border-fd.smartertechnologies.com/
	https://protect-us.mimecast.com/s/4MrPCrkvgotDWxrNCzxa8p	Get hash	malicious	Unknown	Browse	www.mimecast.com/
239.255.255.250	K-Lite_Codec_Pack_1848_Basic.exe	Get hash	malicious	Unknown	Browse
	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse
	https://forms.office.com/Pages/ResponsePage.aspx?id=OLE8nwnwvUGeQ8SAAnPcLaQBldauQopOpJ-jSe9_NVZUNlkxVjJDS1Q3REs1UURGM0hCWExBUE5KQS4u	Get hash	malicious	Unknown	Browse
	7CB92356A0170028FABC20F0CB9736B149EFAB01824AB1173B3277340A6A2EC4.exe	Get hash	malicious	Unknown	Browse
	https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8b	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	https://forestnet.com.br/FFUmVuYWkuV2FycmVuQG5scmIuZ292	Get hash	malicious	Unknown	Browse
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse
	ulHQcdJULU.exe	Get hash	malicious	Unknown	Browse
	ulHQcdJULU.exe	Get hash	malicious	Unknown	Browse
	https://repodex11.github.io/post/	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0014.t-0009.t-msedge.net	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	7CB92356A0170028FABC20F0CB9736B149EFAB01824AB1173B3277340A6A2EC4.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8b	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	13.107.246.42
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	73503980443062d80f82cb75fa021a3be6b8f09785c39efbaff963589c82863a.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	6d4d1cf893010134d60cef12d228da180680a1d4433d143ab80477df00e6fbd8.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	645ecd4cf092b3f03180291a311ad540fe2542486d08e648f6f0ac23de4344d0.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://forms.office.com/r/MbTXnrrxDY	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	qGJBgGtR7e.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse	13.107.246.42
	VaajyQsbTV.exe	Get hash	malicious	GhostRat, Nitol	Browse	13.107.246.42
s-part-0032.t-0009.t-msedge.net	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8b	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	13.107.246.60
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	Ahxjl36V4o.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	73503980443062d80f82cb75fa021a3be6b8f09785c39efbaff963589c82863a.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	6d4d1cf893010134d60cef12d228da180680a1d4433d143ab80477df00e6fbd8.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	645ecd4cf092b3f03180291a311ad540fe2542486d08e648f6f0ac23de4344d0.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://forms.office.com/r/MbTXnrrxDY	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	59cd053dd976f2d92ef879e92ce937786eb286efdceb62823096ae71cc291311.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	4E20A72F2791A602F8EE9999765A9365729FF929DA4D5FA6BE7BFB4C20E9989E.exe	Get hash	malicious	Unknown	Browse	13.107.246.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	7CB92356A0170028FABC20F0CB9736B149EFAB01824AB1173B3277340A6A2EC4.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8b	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	13.107.246.60
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	73503980443062d80f82cb75fa021a3be6b8f09785c39efbaff963589c82863a.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	6d4d1cf893010134d60cef12d228da180680a1d4433d143ab80477df00e6fbd8.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	XEV5ucEWu7.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	645ecd4cf092b3f03180291a311ad540fe2542486d08e648f6f0ac23de4344d0.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://forms.office.com/r/MbTXnrrxDY	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	qGJBgGtR7e.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse	13.107.246.42
MICROSOFT-CORP-MSN-AS-BLOCKUS	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	7CB92356A0170028FABC20F0CB9736B149EFAB01824AB1173B3277340A6A2EC4.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8b	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	13.107.246.60
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	73503980443062d80f82cb75fa021a3be6b8f09785c39efbaff963589c82863a.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	6d4d1cf893010134d60cef12d228da180680a1d4433d143ab80477df00e6fbd8.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	XEV5ucEWu7.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	645ecd4cf092b3f03180291a311ad540fe2542486d08e648f6f0ac23de4344d0.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://forms.office.com/r/MbTXnrrxDY	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	qGJBgGtR7e.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse	13.107.246.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	7CB92356A0170028FABC20F0CB9736B149EFAB01824AB1173B3277340A6A2EC4.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://pub-18c0b230f8f2453bbc80499dbfd675b4.r2.dev	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://ram-coza.com/NowPay	Get hash	malicious	Unknown	Browse	23.1.237.91
	4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exe	Get hash	malicious	Babadeda, Bdaejec	Browse	23.1.237.91
	4D8B9771E44C71F5D5442559FAD0B99581C6E33B339AF9ECEC54095A18AAFE82.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe	Get hash	malicious	Nanocore, Remcos	Browse	23.1.237.91
	https://url.us.m.mimecastprotect.com/s/UkmpCmZgG1h5BO2ghBi2tR8UWK?domain=forms.office.com	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://pub-47b15c982a8d495da7002fa629c6f9a0.r2.dev/www.outlook.office365.cozsidAAQkADZiMjRkdgdMm0000dgdfZDktNGEzNS04ZW000000000000ftekjsguwmgde000000.html	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	K-Lite_Codec_Pack_1848_Basic.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	7EE182A4E061B93EAA096B87B0914D115F5C49D2812A6C81C62A836892ADC359.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://forms.office.com/Pages/ResponsePage.aspx?id=OLE8nwnwvUGeQ8SAAnPcLaQBldauQopOpJ-jSe9_NVZUNlkxVjJDS1Q3REs1UURGM0hCWExBUE5KQS4u	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	7CB92356A0170028FABC20F0CB9736B149EFAB01824AB1173B3277340A6A2EC4.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8b	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	7886ceadafacdaaa0118c8412eda7b48db1f65f798a05ec6bf962b6463f10fd2.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	ulHQcdJULU.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	ulHQcdJULU.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://repodex11.github.io/post/	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	13.85.23.86 184.28.90.27
	73503980443062d80f82cb75fa021a3be6b8f09785c39efbaff963589c82863a.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 24 15:53:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9906343788664382
Encrypted:	false
SSDEEP:	48:8TkdXcT3AwrHvidAKZdA19ehwiZUklqehNy+3:87/dqy
MD5:	C75E546CF28C5965862FB4EEE66FB4C9
SHA1:	687D4587F33F14AD29231D3548BD0C3D79963FD1
SHA-256:	69ED82B5B529E82DE43836D296F01A3ACF2340DB2052E606DD141AAE7EE66190
SHA-512:	A984B458E123495825D21BF6CCF88E4EA6362F0C758CAB3484CE715D12CA1E9C269529C00872B9451DB5E861E8A5D6F49E68825869D9DECB9F4FF117751B11AA
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.149551414799612
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe
File size:	53'760 bytes
MD5:	1a4ac0f78511c028b51e0b302b080946
SHA1:	cf5d9e076aabb18759dfeabf59f4328f3fe30088
SHA256:	d59c7ccf805724c5a8704e0ed9e457bfe33b61e150d646c1da2703e30c22da9e
SHA512:	c38e8742bdfc93aa4b6ffc4789e4e1b844c276bc61eff07729df70781d30ad9f2aab2b2d0290235d828bc556be996f53ded0441440c93b1249abc6e03c855bbf
SSDEEP:	768:PKXTZ38f7CTv8FwKrM+rMRa8NujBtUmQGPL4vzZq2o9W7GsxBbPr:PiTZsTCTv8u1+gRJNA49GCq2iW7z
TLSH:	F6336D8D7FE084ACC4FD157B05B2E4130777E05B5E23D91E8EF294AA36636818F54AE1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:b................................. ........@.. .......................@............@................................

Entrypoint:	0x40e000
Entrypoint Section:	u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x623ADEC4 [Wed Mar 23 08:48:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bc4	0x8c00	0d11b688183f010f66c54d2fe3761477	False	0.463671875	data	5.6066747364381095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	163d66697186c0743c0da6f82247a39a	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
u	0xe000	0x6000	0x4200	564045a36507f78af300dae49ffbca5a	False	0.77734375	data	6.933656811505602	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 18:53:06.810446024 CEST	53	49396	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:06.817857981 CEST	53	57916	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:07.951709986 CEST	53	52837	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:10.018311977 CEST	52902	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:10.018377066 CEST	53773	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:10.878650904 CEST	56196	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:10.879023075 CEST	53678	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:10.886687994 CEST	53	56196	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:10.886912107 CEST	53	53678	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:11.362303019 CEST	63224	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:11.362581015 CEST	64580	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:23.178606033 CEST	56614	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:23.179074049 CEST	50943	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:53:23.180684090 CEST	53	59031	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:25.248794079 CEST	53	49271	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:44.060405016 CEST	53	54798	1.1.1.1	192.168.2.5
Jul 24, 2024 18:53:49.121751070 CEST	53	53976	1.1.1.1	192.168.2.5
Jul 24, 2024 18:54:06.640260935 CEST	53	55704	1.1.1.1	192.168.2.5
Jul 24, 2024 18:54:10.932185888 CEST	65131	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:54:10.932307005 CEST	54309	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:54:11.505426884 CEST	53	65131	1.1.1.1	192.168.2.5
Jul 24, 2024 18:54:11.505471945 CEST	53	54309	1.1.1.1	192.168.2.5
Jul 24, 2024 18:54:24.750617981 CEST	62803	53	192.168.2.5	1.1.1.1
Jul 24, 2024 18:54:24.750793934 CEST	65306	53	192.168.2.5	1.1.1.1

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 18:53:10.026599884 CEST	1.1.1.1	192.168.2.5	0xb16a	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030579090 CEST	1.1.1.1	192.168.2.5	0xa6ee	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030579090 CEST	1.1.1.1	192.168.2.5	0xa6ee	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030579090 CEST	1.1.1.1	192.168.2.5	0xa6ee	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030608892 CEST	1.1.1.1	192.168.2.5	0x79f3	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030608892 CEST	1.1.1.1	192.168.2.5	0x79f3	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030608892 CEST	1.1.1.1	192.168.2.5	0x79f3	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false
Jul 24, 2024 18:53:10.030637980 CEST	1.1.1.1	192.168.2.5	0xac0f	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.886687994 CEST	1.1.1.1	192.168.2.5	0xdfa1	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Jul 24, 2024 18:53:10.886912107 CEST	1.1.1.1	192.168.2.5	0x66c9	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 24, 2024 18:53:10.978986025 CEST	1.1.1.1	192.168.2.5	0x6d22	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.978986025 CEST	1.1.1.1	192.168.2.5	0x6d22	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:10.978986025 CEST	1.1.1.1	192.168.2.5	0x6d22	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Jul 24, 2024 18:53:10.979023933 CEST	1.1.1.1	192.168.2.5	0xb0cf	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:11.370462894 CEST	1.1.1.1	192.168.2.5	0xc1cf	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:11.370462894 CEST	1.1.1.1	192.168.2.5	0xc1cf	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:11.370462894 CEST	1.1.1.1	192.168.2.5	0xc1cf	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Jul 24, 2024 18:53:11.371921062 CEST	1.1.1.1	192.168.2.5	0x4606	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:23.187575102 CEST	1.1.1.1	192.168.2.5	0xa14f	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:23.192919016 CEST	1.1.1.1	192.168.2.5	0xeb75	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:24.336957932 CEST	1.1.1.1	192.168.2.5	0x7eb8	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:24.340919971 CEST	1.1.1.1	192.168.2.5	0x21d4	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:27.927747965 CEST	1.1.1.1	192.168.2.5	0x5292	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:53:27.930493116 CEST	1.1.1.1	192.168.2.5	0xe545	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:54:11.505426884 CEST	1.1.1.1	192.168.2.5	0x354e	No error (0)	www.google.com		142.250.185.100	A (IP address)	IN (0x0001)	false
Jul 24, 2024 18:54:11.505471945 CEST	1.1.1.1	192.168.2.5	0xd616	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 24, 2024 18:54:24.759488106 CEST	1.1.1.1	192.168.2.5	0x896c	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 18:54:24.760451078 CEST	1.1.1.1	192.168.2.5	0xda4e	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:10 UTC	551	OUT	GET /mscc/lib/v2/wcp-consent.js HTTP/1.1 Host: wcpstatic.microsoft.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-24 16:53:10 UTC	713	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 16:53:10 GMT Content-Type: application/javascript Content-Length: 52717 Connection: close Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding Age: 35260 Cache-Control: max-age=43200 Content-MD5: QT/MdZzBmCG2G2lBgIsptQ== Etag: 0x8DA85F6F74C6D08 Last-Modified: Wed, 24 Aug 2022 17:34:58 GMT Vary: Accept-Encoding X-Cache: CONFIG_NOCACHE x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: e58378cc-201e-00d5-1b97-dd2f52000000 x-ms-version: 2009-09-19 x-azure-ref: 20240724T165310Z-15b94bb6ff9f5mm5g2kn1xpxws00000003e0000000007khm Accept-Ranges: bytes
2024-07-24 16:53:10 UTC	15671	IN	Data Raw: 76 61 72 20 57 63 70 43 6f 6e 73 65 6e 74 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 7b 32 32 39 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2c 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6f 28 6e 29 7b 69 66 28 74 5b 6e 5d 29 72 65 74 75 72 6e 20 74 5b 6e 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 72 3d 74 5b 6e 5d 3d 7b 69 3a 6e 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 6e 5d 2e 63 61 6c 6c 28 72 2e 65 78 70 6f 72 74 73 2c 72 2c 72 2e 65 78 70 6f 72 74 73 2c 6f 29 2c 72 2e 6c 3d 21 30 2c 72 2e 65 78 70 6f 72 74 73 7d 72 65 74 75 72 6e 20 6f 2e 6d 3d 65 2c 6f 2e 63 3d 74 2c 6f 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 Data Ascii: var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e
2024-07-24 16:53:10 UTC	16384	IN	Data Raw: 29 7b 72 65 74 75 72 6e 20 65 3f 65 2e 72 65 70 6c 61 63 65 28 2f 26 2f 67 2c 22 26 61 6d 70 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3c 2f 67 2c 22 26 6c 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3e 2f 67 2c 22 26 67 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 22 2f 67 2c 22 26 71 75 6f 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 27 2f 67 2c 22 26 23 30 33 39 3b 22 29 3a 22 22 7d 2c 65 7d 28 29 2c 61 3d 6e 2e 6c 6f 63 61 6c 73 2c 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 65 2c 74 2c 6f 2c 6e 2c 72 2c 69 2c 61 29 7b 74 68 69 73 2e 64 69 72 65 63 74 69 6f 6e 3d 22 6c 74 72 22 2c 74 68 69 73 2e 70 72 65 76 69 6f 75 73 46 6f 63 75 73 45 6c 65 6d 65 6e 74 42 65 66 6f 72 65 50 6f 70 75 70 3d 6e 75 6c 6c 2c 74 68 69 73 2e 63 6f 6f 6b 69 Data Ascii: ){return e?e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'"):""},e}(),a=n.locals,l=function(){function e(e,t,o,n,r,i,a){this.direction="ltr",this.previousFocusElementBeforePopup=null,this.cooki
2024-07-24 16:53:10 UTC	711	IN	Data Raw: 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 74 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 63 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c 61 62 65 6c 3a 68 6f 76 65 72 3a 3a 61 66 74 65 72 20 7b 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 68 6f 76 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 74 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 63 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c Data Ascii: or"]+" !important;\n }",t+='input[type="radio"].'+c.cookieItemRadioBtn+" + label:hover::after {\n background-color: "+e["radio-button-hover-background-color"]+" !important;\n }",t+='input[type="radio"].'+c.cookieItemRadioBtn+" + l
2024-07-24 16:53:10 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 7d 2c 65 7d 28 29 2c 64 3d 5b 22 61 72 22 2c 22 68 65 22 2c 22 70 73 22 2c 22 75 72 22 2c 22 66 61 22 2c 22 70 61 22 2c 22 73 64 22 2c 22 74 6b 22 2c 22 75 67 22 2c 22 79 69 22 2c 22 73 79 72 22 2c 22 6b 73 2d 61 72 61 62 22 5d 2c 75 3d 7b 22 63 6c 6f 73 65 2d 62 75 74 74 6f 6e 2d 63 6f 6c 6f 72 22 3a 22 23 36 36 36 36 36 36 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 6f 70 61 63 69 74 79 22 3a 22 31 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f Data Ascii: background-color: "+e["radio-button-disabled-color"]+" !important;\n }"},e}(),d=["ar","he","ps","ur","fa","pa","sd","tk","ug","yi","syr","ks-arab"],u={"close-button-color":"#666666","secondary-button-disabled-opacity":"1","secondary-butto
2024-07-24 16:53:10 UTC	3567	IN	Data Raw: 28 22 2d 22 29 5b 30 5d 3b 6f 3d 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3d 3d 3d 6e 7d 72 65 74 75 72 6e 20 6f 7d 28 65 2c 63 29 7d 29 29 3b 73 26 26 30 3d 3d 3d 73 2e 6c 65 6e 67 74 68 26 26 28 65 3d 22 65 6e 2d 55 53 22 29 2c 6f 2e 70 6c 61 63 65 68 6f 6c 64 65 72 45 6c 65 6d 65 6e 74 3d 6c 2c 72 26 26 6f 2e 63 6f 6e 73 65 6e 74 43 68 61 6e 67 65 64 43 61 6c 6c 62 61 63 6b 73 2e 72 65 67 69 73 74 65 72 43 61 6c 6c 62 61 63 6b 28 72 29 2c 6f 2e 73 61 76 65 43 6f 6f 6b 69 65 28 29 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 3d 6e 65 77 20 66 28 21 31 29 2c 6e 75 6c 6c 3d 3d 6e 7c 7c 6e 28 76 6f 69 64 20 30 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 29 2c 6f 2e 69 73 49 6e 69 74 52 65 61 64 79 3d 21 30 2c 74 68 69 73 2e 63 6f 6e 73 65 6e 74 43 68 61 6e Data Ascii: ("-")[0];o=e.split("-")[0]===n}return o}(e,c)}));s&&0===s.length&&(e="en-US"),o.placeholderElement=l,r&&o.consentChangedCallbacks.registerCallback(r),o.saveCookie(),o.siteConsent=new f(!1),null==n\|\|n(void 0,o.siteConsent),o.isInitReady=!0,this.consentChan

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:10 UTC	549	OUT	GET /scripts/c/ms.jsll-4.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-24 16:53:10 UTC	958	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 16:53:10 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 206998 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: no-transform, public, max-age=1800, immutable Last-Modified: Mon, 15 Jul 2024 17:38:35 GMT ETag: 0x8DCA4F4F47351DF x-ms-request-id: bd54a350-101e-00a5-0729-dd7893000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 4.3.0 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-4.3.0.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240724T165310Z-15b94bb6ff9rvst5kfy6cdy6hc0000000190000000000504 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-07-24 16:53:10 UTC	15426	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 34 2e 33 2e 30 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 Data Ascii: /! 1DS JSLL SKU, 4.3.0 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&defi
2024-07-24 16:53:10 UTC	16384	IN	Data Raw: 66 65 28 22 63 6f 6e 73 6f 6c 65 22 29 29 26 26 28 72 2e 65 72 72 6f 72 7c 7c 72 2e 6c 6f 67 29 28 74 2c 61 65 28 69 29 29 29 29 7d 78 65 28 61 3d 7b 74 68 65 6e 3a 6f 2c 22 63 61 74 63 68 22 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6f 28 75 6e 64 65 66 69 6e 65 64 2c 65 29 7d 2c 22 66 69 6e 61 6c 6c 79 22 3a 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 2c 6e 3d 74 3b 72 65 74 75 72 6e 20 51 28 74 29 26 26 28 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 26 26 74 28 29 2c 65 7d 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 74 26 26 74 28 29 2c 65 7d 29 2c 6f 28 65 2c 6e 29 7d 7d 2c 22 73 74 61 74 65 22 2c 7b 67 65 74 3a 64 7d 29 2c 6d 74 28 29 26 26 28 61 5b 79 74 28 31 31 29 5d 3d 22 49 Data Ascii: fe("console"))&&(r.error\|\|r.log)(t,ae(i))))}xe(a={then:o,"catch":function(e){return o(undefined,e)},"finally":function(t){var e=t,n=t;return Q(t)&&(e=function(e){return t&&t(),e},n=function(e){throw t&&t(),e}),o(e,n)}},"state",{get:d}),mt()&&(a[yt(11)]="I
2024-07-24 16:53:10 UTC	16384	IN	Data Raw: 2c 6e 2e 68 3d 6e 2e 68 7c 7c 72 6e 28 73 63 2c 30 2c 6e 29 29 3a 4c 28 72 2c 5b 65 5d 29 29 7d 29 7d 64 63 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 66 63 3d 64 63 3b 66 75 6e 63 74 69 6f 6e 20 64 63 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 65 6e 65 72 73 3d 5b 5d 3b 76 61 72 20 6e 2c 69 3d 5b 5d 2c 61 3d 7b 68 3a 6e 75 6c 6c 2c 63 62 3a 5b 5d 7d 2c 6f 3d 6c 6f 28 65 2c 75 63 29 5b 47 6e 5d 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 3d 21 21 65 2e 63 66 67 2e 70 65 72 66 45 76 74 73 53 65 6e 64 41 6c 6c 7d 29 3b 76 65 28 64 63 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 59 28 65 2c 22 6c 69 73 74 65 6e 65 72 73 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 69 7d 7d 29 2c 65 5b 74 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 29 Data Ascii: ,n.h=n.h\|\|rn(sc,0,n)):L(r,[e]))})}dc.__ieDyn=1;var fc=dc;function dc(e){this.listeners=[];var n,i=[],a={h:null,cb:[]},o=lo(e,uc)[Gn](function(e){n=!!e.cfg.perfEvtsSendAll});ve(dc,this,function(e){Y(e,"listeners",{g:function(){return i}}),e[tr]=function(e)
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 28 61 29 7d 2c 36 2c 6e 29 2c 69 7d 2c 66 5b 63 72 5d 3d 73 2c 66 2e 61 64 64 50 6c 75 67 69 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 69 66 28 21 65 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 6e 75 29 3b 76 61 72 20 69 3d 73 28 65 5b 5a 6e 5d 29 3b 69 66 28 69 26 26 21 74 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 22 50 6c 75 67 69 6e 20 5b 22 2b 65 5b 5a 6e 5d 2b 22 5d 20 69 73 20 61 6c 72 65 61 64 79 20 6c 6f 61 64 65 64 21 22 29 3b 76 61 72 20 61 2c 6f 3d 7b 72 65 61 73 6f 6e 3a 31 36 7d 3b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 41 5b 74 65 5d 28 65 29 2c 6f 2e 61 64 64 65 64 3d 5b 65 5d 2c 67 28 6f 29 2c 72 26 26 72 28 21 30 29 7d 69 3f 76 28 61 3d 5b 69 2e 70 6c 75 67 69 6e Data Ascii: (a)},6,n),i},f[cr]=s,f.addPlugin=function(e,t,n,r){if(!e)return r&&r(!1),void C(nu);var i=s(e[Zn]);if(i&&!t)return r&&r(!1),void C("Plugin ["+e[Zn]+"] is already loaded!");var a,o={reason:16};function c(){A[te](e),o.added=[e],g(o),r&&r(!0)}i?v(a=[i.plugin
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 73 5d 28 29 2c 6e 3d 66 65 28 65 3d 3d 3d 43 6c 2e 4c 6f 63 61 6c 53 74 6f 72 61 67 65 3f 22 6c 6f 63 61 6c 53 74 6f 72 61 67 65 22 3a 22 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 22 29 2c 72 3d 54 6c 2b 74 2c 69 3d 28 6e 2e 73 65 74 49 74 65 6d 28 72 2c 74 29 2c 6e 2e 67 65 74 49 74 65 6d 28 72 29 21 3d 3d 74 29 3b 69 66 28 6e 5b 77 73 5d 28 72 29 2c 21 69 29 72 65 74 75 72 6e 20 6e 7d 63 61 74 63 68 28 61 29 7b 7d 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 66 75 6e 63 74 69 6f 6e 20 45 6c 28 29 7b 72 65 74 75 72 6e 20 5f 6c 28 29 3f 49 6c 28 43 6c 2e 53 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 29 3a 6e 75 6c 6c 7d 66 75 6e 63 74 69 6f 6e 20 5f 6c 28 65 29 7b 72 65 74 75 72 6e 20 62 6c 3d 65 7c 7c 62 6c 3d 3d 3d 75 6e 64 65 66 69 6e 65 64 3f 21 21 49 6c 28 43 6c Data Ascii: s](),n=fe(e===Cl.LocalStorage?"localStorage":"sessionStorage"),r=Tl+t,i=(n.setItem(r,t),n.getItem(r)!==t);if(n[ws](r),!i)return n}catch(a){}return null}function El(){return _l()?Il(Cl.SessionStorage):null}function _l(e){return bl=e\|\|bl===undefined?!!Il(Cl
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 72 6e 20 6f 7d 7d 29 2c 59 28 65 2c 22 70 61 67 65 56 69 73 69 74 54 69 6d 65 54 72 61 63 6b 69 6e 67 48 61 6e 64 6c 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 7d 7d 29 7d 29 7d 76 61 72 20 45 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 68 69 73 5b 6c 64 5d 3d 4f 74 28 29 2c 74 68 69 73 2e 70 61 67 65 4e 61 6d 65 3d 65 2c 74 68 69 73 2e 70 61 67 65 55 72 6c 3d 74 7d 2c 5f 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 65 29 7b 76 61 72 20 6f 3d 74 68 69 73 2c 63 3d 7b 7d 3b 6f 2e 73 74 61 72 74 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 63 5b 65 5d 26 26 6d 65 28 61 2c 32 2c 36 32 2c 22 73 74 61 72 74 20 77 61 73 20 63 61 6c 6c 65 64 20 6d 6f 72 65 20 74 68 61 6e 20 Data Ascii: rn o}}),Y(e,"pageVisitTimeTrackingHandler",{g:function(){return c}})})}var Ed=function(e,t){this[ld]=Ot(),this.pageName=e,this.pageUrl=t},_d=function(a,e){var o=this,c={};o.start=function(e){"undefined"!=typeof c[e]&&me(a,2,62,"start was called more than
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 61 67 73 3d 6d 73 28 21 30 2c 6e 2e 5f 70 61 67 65 54 61 67 73 2c 74 2e 70 61 67 65 54 61 67 73 29 29 2c 65 2e 70 72 6f 70 65 72 74 69 65 73 3d 65 2e 70 72 6f 70 65 72 74 69 65 73 7c 7c 7b 7d 2c 65 2e 70 72 6f 70 65 72 74 69 65 73 2e 70 61 67 65 54 61 67 73 3d 6e 2e 5f 70 61 67 65 54 61 67 73 7d 2c 65 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 67 65 74 42 65 68 61 76 69 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3b 72 65 74 75 72 6e 20 65 26 26 63 65 28 65 2e 62 65 68 61 76 69 6f 72 29 3f 74 3d 65 2e 62 65 68 61 76 69 6f 72 3a 63 65 28 74 68 69 73 2e 5f 62 65 68 61 76 69 6f 72 4d 65 74 61 54 61 67 29 26 26 28 74 3d 74 68 69 73 2e 5f 62 65 68 61 76 69 6f 72 4d 65 74 61 54 61 67 29 2c 74 68 69 73 2e 5f 67 65 74 56 61 6c 69 64 42 65 68 61 76 69 Data Ascii: ags=ms(!0,n._pageTags,t.pageTags)),e.properties=e.properties\|\|{},e.properties.pageTags=n._pageTags},ep.prototype._getBehavior=function(e){var t;return e&&ce(e.behavior)?t=e.behavior:ce(this._behaviorMetaTag)&&(t=this._behaviorMetaTag),this._getValidBehavi
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 6d 65 73 2e 63 6f 6e 74 65 6e 74 4e 61 6d 65 29 3b 72 26 26 28 61 5b 74 5d 3d 72 29 2c 69 26 26 28 61 5b 6e 5d 3d 69 29 7d 72 65 74 75 72 6e 20 61 7d 2c 53 70 29 3b 66 75 6e 63 74 69 6f 6e 20 53 70 28 65 2c 74 29 7b 74 68 69 73 2e 5f 63 6f 6e 66 69 67 3d 65 2c 74 68 69 73 2e 5f 74 72 61 63 65 4c 6f 67 67 65 72 3d 74 2c 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 42 6c 6f 62 46 69 65 6c 64 4e 61 6d 65 73 3d 6e 75 6c 6c 2c 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 42 6c 6f 62 46 69 65 6c 64 4e 61 6d 65 73 3d 21 30 3d 3d 3d 74 68 69 73 2e 5f 63 6f 6e 66 69 67 2e 75 73 65 53 68 6f 72 74 4e 61 6d 65 46 6f 72 43 6f 6e 74 65 6e 74 42 6c 6f 62 3f 54 70 2e 73 68 6f 72 74 4e 61 6d 65 73 3a 54 70 2e 6c 6f 6e 67 4e 61 6d 65 73 7d 76 61 72 20 78 70 2c 4e 70 3d 48 65 28 7b 75 Data Ascii: mes.contentName);r&&(a[t]=r),i&&(a[n]=i)}return a},Sp);function Sp(e,t){this._config=e,this._traceLogger=t,this._contentBlobFieldNames=null,this._contentBlobFieldNames=!0===this._config.useShortNameForContentBlob?Tp.shortNames:Tp.longNames}var xp,Np=He({u
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 67 3d 22 73 65 6e 64 54 79 70 65 22 2c 4b 67 3d 22 61 64 64 48 65 61 64 65 72 22 2c 47 67 3d 22 63 61 6e 53 65 6e 64 52 65 71 75 65 73 74 22 2c 58 67 3d 22 73 65 6e 64 51 75 65 75 65 64 52 65 71 75 65 73 74 73 22 2c 4a 67 3d 22 69 73 43 6f 6d 70 6c 65 74 65 6c 79 49 64 6c 65 22 2c 51 67 3d 22 73 65 74 55 6e 6c 6f 61 64 69 6e 67 22 2c 59 67 3d 22 73 65 6e 64 53 79 6e 63 68 72 6f 6e 6f 75 73 42 61 74 63 68 22 2c 24 67 3d 22 5f 74 72 61 6e 73 70 6f 72 74 22 2c 5a 67 3d 22 67 65 74 57 50 61 72 61 6d 22 2c 65 76 3d 22 69 73 42 65 61 63 6f 6e 22 2c 74 76 3d 22 74 69 6d 69 6e 67 73 22 2c 6e 76 3d 22 69 73 54 65 61 72 64 6f 77 6e 22 2c 72 76 3d 22 69 73 53 79 6e 63 22 2c 69 76 3d 22 64 61 74 61 22 2c 61 76 3d 22 5f 73 65 6e 64 52 65 61 73 6f 6e 22 2c 6f 76 3d 22 Data Ascii: g="sendType",Kg="addHeader",Gg="canSendRequest",Xg="sendQueuedRequests",Jg="isCompletelyIdle",Qg="setUnloading",Yg="sendSynchronousBatch",$g="_transport",Zg="getWParam",ev="isBeacon",tv="timings",nv="isTeardown",rv="isSync",iv="data",av="_sendReason",ov="
2024-07-24 16:53:11 UTC	16384	IN	Data Raw: 28 29 7b 72 65 3d 21 31 2c 61 65 3d 21 28 69 65 3d 5b 5d 29 2c 52 3d 31 65 34 2c 75 65 3d 7b 7d 2c 73 65 3d 59 70 2c 65 65 3d 21 28 46 3d 7b 7d 29 2c 71 3d 42 3d 56 3d 55 3d 63 65 3d 6f 65 3d 30 2c 7a 3d 2d 31 2c 4b 3d 21 28 57 3d 21 28 6a 3d 4c 3d 4d 3d 50 3d 6b 3d 6e 75 6c 6c 29 29 2c 47 3d 36 2c 74 65 3d 4a 3d 6e 75 6c 6c 2c 6e 65 3d 21 28 58 3d 32 29 2c 51 3d 50 76 28 29 2c 48 3d 6e 65 77 20 42 76 28 4f 3d 35 30 30 2c 32 2c 31 2c 7b 72 65 71 75 65 75 65 3a 65 2c 73 65 6e 64 3a 53 2c 73 65 6e 74 3a 78 2c 64 72 6f 70 3a 4e 2c 72 73 70 46 61 69 6c 3a 44 2c 6f 74 68 3a 41 7d 29 2c 74 28 29 2c 46 5b 34 5d 3d 7b 62 61 74 63 68 65 73 3a 5b 5d 2c 69 4b 65 79 4d 61 70 3a 7b 7d 7d 2c 46 5b 33 5d 3d 7b 62 61 74 63 68 65 73 3a 5b 5d 2c 69 4b 65 79 4d 61 70 3a 7b Data Ascii: (){re=!1,ae=!(ie=[]),R=1e4,ue={},se=Yp,ee=!(F={}),q=B=V=U=ce=oe=0,z=-1,K=!(W=!(j=L=M=P=k=null)),G=6,te=J=null,ne=!(X=2),Q=Pv(),H=new Bv(O=500,2,1,{requeue:e,send:S,sent:x,drop:N,rspFail:D,oth:A}),t(),F[4]={batches:[],iKeyMap:{}},F[3]={batches:[],iKeyMap:{

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:12 UTC	370	OUT	GET /scripts/c/ms.jsll-4.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-24 16:53:12 UTC	958	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 16:53:12 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 206998 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: no-transform, public, max-age=1800, immutable Last-Modified: Mon, 15 Jul 2024 17:38:35 GMT ETag: 0x8DCA4F4F47351DF x-ms-request-id: bd54a350-101e-00a5-0729-dd7893000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 4.3.0 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-4.3.0.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240724T165312Z-15b94bb6ff9l5m7947zaw26eh8000000029g0000000049qd x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-07-24 16:53:12 UTC	15426	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 34 2e 33 2e 30 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 Data Ascii: /! 1DS JSLL SKU, 4.3.0 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&defi
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 66 65 28 22 63 6f 6e 73 6f 6c 65 22 29 29 26 26 28 72 2e 65 72 72 6f 72 7c 7c 72 2e 6c 6f 67 29 28 74 2c 61 65 28 69 29 29 29 29 7d 78 65 28 61 3d 7b 74 68 65 6e 3a 6f 2c 22 63 61 74 63 68 22 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6f 28 75 6e 64 65 66 69 6e 65 64 2c 65 29 7d 2c 22 66 69 6e 61 6c 6c 79 22 3a 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 2c 6e 3d 74 3b 72 65 74 75 72 6e 20 51 28 74 29 26 26 28 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 26 26 74 28 29 2c 65 7d 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 74 26 26 74 28 29 2c 65 7d 29 2c 6f 28 65 2c 6e 29 7d 7d 2c 22 73 74 61 74 65 22 2c 7b 67 65 74 3a 64 7d 29 2c 6d 74 28 29 26 26 28 61 5b 79 74 28 31 31 29 5d 3d 22 49 Data Ascii: fe("console"))&&(r.error\|\|r.log)(t,ae(i))))}xe(a={then:o,"catch":function(e){return o(undefined,e)},"finally":function(t){var e=t,n=t;return Q(t)&&(e=function(e){return t&&t(),e},n=function(e){throw t&&t(),e}),o(e,n)}},"state",{get:d}),mt()&&(a[yt(11)]="I
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 2c 6e 2e 68 3d 6e 2e 68 7c 7c 72 6e 28 73 63 2c 30 2c 6e 29 29 3a 4c 28 72 2c 5b 65 5d 29 29 7d 29 7d 64 63 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 66 63 3d 64 63 3b 66 75 6e 63 74 69 6f 6e 20 64 63 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 65 6e 65 72 73 3d 5b 5d 3b 76 61 72 20 6e 2c 69 3d 5b 5d 2c 61 3d 7b 68 3a 6e 75 6c 6c 2c 63 62 3a 5b 5d 7d 2c 6f 3d 6c 6f 28 65 2c 75 63 29 5b 47 6e 5d 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 3d 21 21 65 2e 63 66 67 2e 70 65 72 66 45 76 74 73 53 65 6e 64 41 6c 6c 7d 29 3b 76 65 28 64 63 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 59 28 65 2c 22 6c 69 73 74 65 6e 65 72 73 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 69 7d 7d 29 2c 65 5b 74 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 29 Data Ascii: ,n.h=n.h\|\|rn(sc,0,n)):L(r,[e]))})}dc.__ieDyn=1;var fc=dc;function dc(e){this.listeners=[];var n,i=[],a={h:null,cb:[]},o=lo(e,uc)[Gn](function(e){n=!!e.cfg.perfEvtsSendAll});ve(dc,this,function(e){Y(e,"listeners",{g:function(){return i}}),e[tr]=function(e)
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 28 61 29 7d 2c 36 2c 6e 29 2c 69 7d 2c 66 5b 63 72 5d 3d 73 2c 66 2e 61 64 64 50 6c 75 67 69 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 69 66 28 21 65 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 6e 75 29 3b 76 61 72 20 69 3d 73 28 65 5b 5a 6e 5d 29 3b 69 66 28 69 26 26 21 74 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 22 50 6c 75 67 69 6e 20 5b 22 2b 65 5b 5a 6e 5d 2b 22 5d 20 69 73 20 61 6c 72 65 61 64 79 20 6c 6f 61 64 65 64 21 22 29 3b 76 61 72 20 61 2c 6f 3d 7b 72 65 61 73 6f 6e 3a 31 36 7d 3b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 41 5b 74 65 5d 28 65 29 2c 6f 2e 61 64 64 65 64 3d 5b 65 5d 2c 67 28 6f 29 2c 72 26 26 72 28 21 30 29 7d 69 3f 76 28 61 3d 5b 69 2e 70 6c 75 67 69 6e Data Ascii: (a)},6,n),i},f[cr]=s,f.addPlugin=function(e,t,n,r){if(!e)return r&&r(!1),void C(nu);var i=s(e[Zn]);if(i&&!t)return r&&r(!1),void C("Plugin ["+e[Zn]+"] is already loaded!");var a,o={reason:16};function c(){A[te](e),o.added=[e],g(o),r&&r(!0)}i?v(a=[i.plugin
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 73 5d 28 29 2c 6e 3d 66 65 28 65 3d 3d 3d 43 6c 2e 4c 6f 63 61 6c 53 74 6f 72 61 67 65 3f 22 6c 6f 63 61 6c 53 74 6f 72 61 67 65 22 3a 22 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 22 29 2c 72 3d 54 6c 2b 74 2c 69 3d 28 6e 2e 73 65 74 49 74 65 6d 28 72 2c 74 29 2c 6e 2e 67 65 74 49 74 65 6d 28 72 29 21 3d 3d 74 29 3b 69 66 28 6e 5b 77 73 5d 28 72 29 2c 21 69 29 72 65 74 75 72 6e 20 6e 7d 63 61 74 63 68 28 61 29 7b 7d 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 66 75 6e 63 74 69 6f 6e 20 45 6c 28 29 7b 72 65 74 75 72 6e 20 5f 6c 28 29 3f 49 6c 28 43 6c 2e 53 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 29 3a 6e 75 6c 6c 7d 66 75 6e 63 74 69 6f 6e 20 5f 6c 28 65 29 7b 72 65 74 75 72 6e 20 62 6c 3d 65 7c 7c 62 6c 3d 3d 3d 75 6e 64 65 66 69 6e 65 64 3f 21 21 49 6c 28 43 6c Data Ascii: s](),n=fe(e===Cl.LocalStorage?"localStorage":"sessionStorage"),r=Tl+t,i=(n.setItem(r,t),n.getItem(r)!==t);if(n[ws](r),!i)return n}catch(a){}return null}function El(){return _l()?Il(Cl.SessionStorage):null}function _l(e){return bl=e\|\|bl===undefined?!!Il(Cl
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 72 6e 20 6f 7d 7d 29 2c 59 28 65 2c 22 70 61 67 65 56 69 73 69 74 54 69 6d 65 54 72 61 63 6b 69 6e 67 48 61 6e 64 6c 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 7d 7d 29 7d 29 7d 76 61 72 20 45 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 68 69 73 5b 6c 64 5d 3d 4f 74 28 29 2c 74 68 69 73 2e 70 61 67 65 4e 61 6d 65 3d 65 2c 74 68 69 73 2e 70 61 67 65 55 72 6c 3d 74 7d 2c 5f 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 65 29 7b 76 61 72 20 6f 3d 74 68 69 73 2c 63 3d 7b 7d 3b 6f 2e 73 74 61 72 74 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 63 5b 65 5d 26 26 6d 65 28 61 2c 32 2c 36 32 2c 22 73 74 61 72 74 20 77 61 73 20 63 61 6c 6c 65 64 20 6d 6f 72 65 20 74 68 61 6e 20 Data Ascii: rn o}}),Y(e,"pageVisitTimeTrackingHandler",{g:function(){return c}})})}var Ed=function(e,t){this[ld]=Ot(),this.pageName=e,this.pageUrl=t},_d=function(a,e){var o=this,c={};o.start=function(e){"undefined"!=typeof c[e]&&me(a,2,62,"start was called more than
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 61 67 73 3d 6d 73 28 21 30 2c 6e 2e 5f 70 61 67 65 54 61 67 73 2c 74 2e 70 61 67 65 54 61 67 73 29 29 2c 65 2e 70 72 6f 70 65 72 74 69 65 73 3d 65 2e 70 72 6f 70 65 72 74 69 65 73 7c 7c 7b 7d 2c 65 2e 70 72 6f 70 65 72 74 69 65 73 2e 70 61 67 65 54 61 67 73 3d 6e 2e 5f 70 61 67 65 54 61 67 73 7d 2c 65 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 67 65 74 42 65 68 61 76 69 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3b 72 65 74 75 72 6e 20 65 26 26 63 65 28 65 2e 62 65 68 61 76 69 6f 72 29 3f 74 3d 65 2e 62 65 68 61 76 69 6f 72 3a 63 65 28 74 68 69 73 2e 5f 62 65 68 61 76 69 6f 72 4d 65 74 61 54 61 67 29 26 26 28 74 3d 74 68 69 73 2e 5f 62 65 68 61 76 69 6f 72 4d 65 74 61 54 61 67 29 2c 74 68 69 73 2e 5f 67 65 74 56 61 6c 69 64 42 65 68 61 76 69 Data Ascii: ags=ms(!0,n._pageTags,t.pageTags)),e.properties=e.properties\|\|{},e.properties.pageTags=n._pageTags},ep.prototype._getBehavior=function(e){var t;return e&&ce(e.behavior)?t=e.behavior:ce(this._behaviorMetaTag)&&(t=this._behaviorMetaTag),this._getValidBehavi
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 6d 65 73 2e 63 6f 6e 74 65 6e 74 4e 61 6d 65 29 3b 72 26 26 28 61 5b 74 5d 3d 72 29 2c 69 26 26 28 61 5b 6e 5d 3d 69 29 7d 72 65 74 75 72 6e 20 61 7d 2c 53 70 29 3b 66 75 6e 63 74 69 6f 6e 20 53 70 28 65 2c 74 29 7b 74 68 69 73 2e 5f 63 6f 6e 66 69 67 3d 65 2c 74 68 69 73 2e 5f 74 72 61 63 65 4c 6f 67 67 65 72 3d 74 2c 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 42 6c 6f 62 46 69 65 6c 64 4e 61 6d 65 73 3d 6e 75 6c 6c 2c 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 42 6c 6f 62 46 69 65 6c 64 4e 61 6d 65 73 3d 21 30 3d 3d 3d 74 68 69 73 2e 5f 63 6f 6e 66 69 67 2e 75 73 65 53 68 6f 72 74 4e 61 6d 65 46 6f 72 43 6f 6e 74 65 6e 74 42 6c 6f 62 3f 54 70 2e 73 68 6f 72 74 4e 61 6d 65 73 3a 54 70 2e 6c 6f 6e 67 4e 61 6d 65 73 7d 76 61 72 20 78 70 2c 4e 70 3d 48 65 28 7b 75 Data Ascii: mes.contentName);r&&(a[t]=r),i&&(a[n]=i)}return a},Sp);function Sp(e,t){this._config=e,this._traceLogger=t,this._contentBlobFieldNames=null,this._contentBlobFieldNames=!0===this._config.useShortNameForContentBlob?Tp.shortNames:Tp.longNames}var xp,Np=He({u
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 67 3d 22 73 65 6e 64 54 79 70 65 22 2c 4b 67 3d 22 61 64 64 48 65 61 64 65 72 22 2c 47 67 3d 22 63 61 6e 53 65 6e 64 52 65 71 75 65 73 74 22 2c 58 67 3d 22 73 65 6e 64 51 75 65 75 65 64 52 65 71 75 65 73 74 73 22 2c 4a 67 3d 22 69 73 43 6f 6d 70 6c 65 74 65 6c 79 49 64 6c 65 22 2c 51 67 3d 22 73 65 74 55 6e 6c 6f 61 64 69 6e 67 22 2c 59 67 3d 22 73 65 6e 64 53 79 6e 63 68 72 6f 6e 6f 75 73 42 61 74 63 68 22 2c 24 67 3d 22 5f 74 72 61 6e 73 70 6f 72 74 22 2c 5a 67 3d 22 67 65 74 57 50 61 72 61 6d 22 2c 65 76 3d 22 69 73 42 65 61 63 6f 6e 22 2c 74 76 3d 22 74 69 6d 69 6e 67 73 22 2c 6e 76 3d 22 69 73 54 65 61 72 64 6f 77 6e 22 2c 72 76 3d 22 69 73 53 79 6e 63 22 2c 69 76 3d 22 64 61 74 61 22 2c 61 76 3d 22 5f 73 65 6e 64 52 65 61 73 6f 6e 22 2c 6f 76 3d 22 Data Ascii: g="sendType",Kg="addHeader",Gg="canSendRequest",Xg="sendQueuedRequests",Jg="isCompletelyIdle",Qg="setUnloading",Yg="sendSynchronousBatch",$g="_transport",Zg="getWParam",ev="isBeacon",tv="timings",nv="isTeardown",rv="isSync",iv="data",av="_sendReason",ov="
2024-07-24 16:53:12 UTC	16384	IN	Data Raw: 28 29 7b 72 65 3d 21 31 2c 61 65 3d 21 28 69 65 3d 5b 5d 29 2c 52 3d 31 65 34 2c 75 65 3d 7b 7d 2c 73 65 3d 59 70 2c 65 65 3d 21 28 46 3d 7b 7d 29 2c 71 3d 42 3d 56 3d 55 3d 63 65 3d 6f 65 3d 30 2c 7a 3d 2d 31 2c 4b 3d 21 28 57 3d 21 28 6a 3d 4c 3d 4d 3d 50 3d 6b 3d 6e 75 6c 6c 29 29 2c 47 3d 36 2c 74 65 3d 4a 3d 6e 75 6c 6c 2c 6e 65 3d 21 28 58 3d 32 29 2c 51 3d 50 76 28 29 2c 48 3d 6e 65 77 20 42 76 28 4f 3d 35 30 30 2c 32 2c 31 2c 7b 72 65 71 75 65 75 65 3a 65 2c 73 65 6e 64 3a 53 2c 73 65 6e 74 3a 78 2c 64 72 6f 70 3a 4e 2c 72 73 70 46 61 69 6c 3a 44 2c 6f 74 68 3a 41 7d 29 2c 74 28 29 2c 46 5b 34 5d 3d 7b 62 61 74 63 68 65 73 3a 5b 5d 2c 69 4b 65 79 4d 61 70 3a 7b 7d 7d 2c 46 5b 33 5d 3d 7b 62 61 74 63 68 65 73 3a 5b 5d 2c 69 4b 65 79 4d 61 70 3a 7b Data Ascii: (){re=!1,ae=!(ie=[]),R=1e4,ue={},se=Yp,ee=!(F={}),q=B=V=U=ce=oe=0,z=-1,K=!(W=!(j=L=M=P=k=null)),G=6,te=J=null,ne=!(X=2),Q=Pv(),H=new Bv(O=500,2,1,{requeue:e,send:S,sent:x,drop:N,rspFail:D,oth:A}),t(),F[4]={batches:[],iKeyMap:{}},F[3]={batches:[],iKeyMap:{

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:12 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-24 16:53:13 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF4C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=83801 Date: Wed, 24 Jul 2024 16:53:12 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:14 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-24 16:53:14 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=83800 Date: Wed, 24 Jul 2024 16:53:14 GMT Content-Length: 55 Connection: close X-CID: 2
2024-07-24 16:53:14 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:20 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-24 16:53:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b7b97a7c-1257-4090-8935-6ca5e2fa5f95 MS-RequestId: c5f01ddc-cf8b-4d0b-b7dd-744aa47b3c63 MS-CV: WKQ5uy+bPE24tRXs.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 24 Jul 2024 16:53:19 GMT Connection: close Content-Length: 24490
2024-07-24 16:53:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-24 16:53:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-07-24 16:53:59 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S8+5YrXKhXghv93&MD=EDNDSfnb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-24 16:53:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 9213f4f6-a151-41dd-a82f-35da47616cf0 MS-RequestId: 5965111b-4062-404b-be1a-d441c520e7c5 MS-CV: 8Zm643HiH0qUnzsz.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 24 Jul 2024 16:53:59 GMT Connection: close Content-Length: 30005
2024-07-24 16:53:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-24 16:53:59 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	12:52:59
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe"
Imagebase:	0x680000
File size:	53'760 bytes
MD5 hash:	1A4AC0F78511C028B51E0B302B080946
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.2056954933.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	12:53:04
Start date:	24/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	12:53:07
Start date:	24/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	12:53:08
Start date:	24/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1936,i,10713725616331725220,8343982404964030147,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Chrome Cache Entry: 156

Windows Analysis Report
7F95320763FDCB0F731CE91FB8E178D4110E10A1D56836F442BA34C6F2A631F6.exe

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre