Edit tour

Windows Analysis Report
LisectAVT_2403002C_142.exe

Overview

General Information

Sample name:	LisectAVT_2403002C_142.exe
Analysis ID:	1481468
MD5:	01da9ea1cc55c02a1755b20a4ec69f05
SHA1:	1e2d88fc38f6afbde00ce873c2325c8d0c327879
SHA256:	e10057cbc98b12819a4a3a41f68281398a3f18f0a411019e7f069b31a11395fc
Tags:	exenjrat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Machine Learning detection for sample

PE file contains section with special chars

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

PE file contains sections with non-standard names

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002C_142.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_142.exe" MD5: 01DA9EA1CC55C02A1755B20A4EC69F05)

chrome.exe (PID: 7676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1904,i,3045040594546194306,8046493471930814901,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4508 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,6999489819283979014,13540749176578719827,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "Lmao", "Version": "0.7d", "Install Name": "496779573766ea94e8f182410716b25d", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002C_142.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
LisectAVT_2403002C_142.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a27:$a2: SEE_MASK_NOZONECHECKS 0x156c9:$a3: Download ERROR 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c06:$a5: netsh firewall delete allowedprogram "
LisectAVT_2403002C_142.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a27:$reg: SEE_MASK_NOZONECHECKS 0x156ad:$msg: Execute ERROR 0x15701:$msg: Execute ERROR 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
LisectAVT_2403002C_142.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x15827:$a2: SEE_MASK_NOZONECHECKS 0x154c9:$a3: Download ERROR 0x15a79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13a06:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15827:$reg: SEE_MASK_NOZONECHECKS 0x154ad:$msg: Execute ERROR 0x15501:$msg: Execute ERROR 0x15a79:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: LisectAVT_2403002C_142.exe PID: 7492	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.LisectAVT_2403002C_142.exe.20000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.LisectAVT_2403002C_142.exe.20000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a27:$a2: SEE_MASK_NOZONECHECKS 0x156c9:$a3: Download ERROR 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c06:$a5: netsh firewall delete allowedprogram "
0.0.LisectAVT_2403002C_142.exe.20000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a27:$reg: SEE_MASK_NOZONECHECKS 0x156ad:$msg: Execute ERROR 0x15701:$msg: Execute ERROR 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.LisectAVT_2403002C_142.exe.20000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR

Suricata Signatures

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:57.186261+0200
SID:	2012510
Source Port:	443
Destination Port:	49726
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:59.822671+0200
SID:	2012510
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:59.844808+0200
SID:	2012510
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:48:40.834189+0200
SID:	2022930
Source Port:	443
Destination Port:	60450
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:58.111870+0200
SID:	2012510
Source Port:	443
Destination Port:	49726
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:56.967085+0200
SID:	2012510
Source Port:	443
Destination Port:	49726
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:48:00.029513+0200
SID:	2012510
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:48:00.949369+0200
SID:	2012510
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:58.111882+0200
SID:	2012510
Source Port:	443
Destination Port:	49726
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:47:56.999296+0200
SID:	2012510
Source Port:	443
Destination Port:	49726
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:48:02.551404+0200
SID:	2022930
Source Port:	443
Destination Port:	49760
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET SHELLCODE UTF-8/16 Encoded Shellcode - Source IP: 95.101.150.2 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T09:48:00.949372+0200
SID:	2012510
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002C_142.exe

Avira: detected

Found malware configuration

Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "Lmao", "Version": "0.7d", "Install Name": "496779573766ea94e8f182410716b25d", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for submitted file

Source: LisectAVT_2403002C_142.exe

ReversingLabs: Detection: 97%

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002C_142.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002C_142.exe PID: 7492, type: MEMORYSTR

Machine Learning detection for sample

Source: LisectAVT_2403002C_142.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: LisectAVT_2403002C_142.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.8:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:60450 version: TLS 1.2

Source: LisectAVT_2403002C_142.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: LisectAVT_2403002C_142.exe, Usb1.cs

.Net Code: infect

Source: LisectAVT_2403002C_142.exe, 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: LisectAVT_2403002C_142.exe, 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002C_142.exe, 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: LisectAVT_2403002C_142.exe	Binary or memory string: \autorun.inf
Source: LisectAVT_2403002C_142.exe	Binary or memory string: [autorun]
Source: LisectAVT_2403002C_142.exe	Binary or memory string: autorun.inf

Source: global traffic

TCP traffic: 192.168.2.8:60448 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 13.107.253.45 13.107.253.45
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 13.107.253.42 13.107.253.42

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3FgPvgo5hwHzvrg&MD=TArSOtKe HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3FgPvgo5hwHzvrg&MD=TArSOtKe HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: </section>`}function Ise(e=hT,t=Gd){return Ha(UB,e,t)}function Pse(e=TT,t=yT){return Ha(aB,e,t)}var yI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yI\|\|{}),xke={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function ex(e,t,n){let o=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=n?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(c8.replace("{achievementTitle}",n?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),g={achievementCopy:p,url:u,title:o,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com

Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_162.5.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_162.5.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_161.5.dr, chromecache_159.5.dr	String found in binary or memory: https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad
Source: chromecache_161.5.dr, chromecache_159.5.dr	String found in binary or memory: https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_162.5.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_162.5.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_162.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_162.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_180.5.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://github.com/$
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_162.5.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_162.5.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_180.5.dr	String found in binary or memory: https://schema.org
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_187.5.dr, chromecache_180.5.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60453
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60450
Source: unknown	Network traffic detected: HTTP traffic on port 60450 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60453 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.8:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:60450 version: TLS 1.2

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002C_142.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002C_142.exe PID: 7492, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002C_142.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: LisectAVT_2403002C_142.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: LisectAVT_2403002C_142.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

PE file contains section with special chars

Source: LisectAVT_2403002C_142.exe

Static PE information: section name: >|u

Source: LisectAVT_2403002C_142.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002C_142.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: LisectAVT_2403002C_142.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: LisectAVT_2403002C_142.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@29/67@10/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: LisectAVT_2403002C_142.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002C_142.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe "C:\Users\user\Desktop\LisectAVT_2403002C_142.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1904,i,3045040594546194306,8046493471930814901,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,6999489819283979014,13540749176578719827,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1904,i,3045040594546194306,8046493471930814901,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,6999489819283979014,13540749176578719827,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LisectAVT_2403002C_142.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002C_142.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: LisectAVT_2403002C_142.exe, Fransesco.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: initial sample

Static PE information: section where entry point is pointing to: >|u

Source: LisectAVT_2403002C_142.exe

Static PE information: section name: >|u

Source: LisectAVT_2403002C_142.exe

Static PE information: section name: >|u entropy: 6.934439630498995

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: LisectAVT_2403002C_142.exe, 00000000.00000002.1546170095.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: LisectAVT_2403002C_142.exe, 00000000.00000002.1546170095.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_142.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Source: LisectAVT_2403002C_142.exe	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: LisectAVT_2403002C_142.exe	Binary or memory string: Shell_TrayWnd
Source: LisectAVT_2403002C_142.exe	Binary or memory string: ProgMan

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: LisectAVT_2403002C_142.exe, Fransesco.cs

.Net Code: INS

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002C_142.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002C_142.exe PID: 7492, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: LisectAVT_2403002C_142.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002C_142.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002C_142.exe PID: 7492, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
LisectAVT_2403002C_142.exe	97%	ReversingLabs	Win32.Virus.Jadtre
LisectAVT_2403002C_142.exe	100%	Avira	W32/Jadtre.B
LisectAVT_2403002C_142.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://polymer.github.io/PATENTS.txt	0%	URL Reputation	safe
https://schema.org	0%	URL Reputation	safe
http://polymer.github.io/LICENSE.txt	0%	URL Reputation	safe
http://polymer.github.io/AUTHORS.txt	0%	URL Reputation	safe
https://aka.ms/yourcaliforniaprivacychoices	0%	URL Reputation	safe
http://schema.org/Organization	0%	URL Reputation	safe
http://polymer.github.io/CONTRIBUTORS.txt	0%	URL Reputation	safe
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	0%	Avira URL Cloud	safe
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues	0%	Avira URL Cloud	safe
https://github.com/Thraka	0%	Avira URL Cloud	safe
https://client-api.arkoselabs.com/v2/api.js	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	0%	Avira URL Cloud	safe
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	0%	Avira URL Cloud	safe
https://aka.ms/certhelp	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	0%	Avira URL Cloud	safe
https://www.linkedin.com/cws/share?url=$	0%	Avira URL Cloud	safe
https://aka.ms/ContentUserFeedback	0%	Avira URL Cloud	safe
https://github.com/nschonni	0%	Avira URL Cloud	safe
https://github.com/Youssef1313	0%	Avira URL Cloud	safe
https://management.azure.com/subscriptions?api-version=2016-06-01	0%	Avira URL Cloud	safe
https://github.com/mairaw	0%	Avira URL Cloud	safe
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	0%	Avira URL Cloud	safe
https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad	0%	Avira URL Cloud	safe
https://github.com/adegeo	0%	Avira URL Cloud	safe
https://aka.ms/pshelpmechoose	0%	Avira URL Cloud	safe
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	0%	Avira URL Cloud	safe
https://octokit.github.io/rest.js/#throttling	0%	Avira URL Cloud	safe
https://aka.ms/feedback/report?space=61	0%	Avira URL Cloud	safe
https://github.com/$	0%	Avira URL Cloud	safe
https://github.com/js-cookie/js-cookie	0%	Avira URL Cloud	safe
https://twitter.com/intent/tweet?original_referer=$	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/vod/player	0%	Avira URL Cloud	safe
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	0%	Avira URL Cloud	safe
https://github.com/gewarren	0%	Avira URL Cloud	safe
https://channel9.msdn.com/	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/	0%	Avira URL Cloud	safe
https://github.com/dotnet/try	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true	false	unknown
s-part-0014.t-0009.fb-t-msedge.net	13.107.253.42	true	false	unknown
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	unknown
www.google.com	172.217.18.4	true	false	unknown
js.monitor.azure.com	unknown	unknown	true	unknown
mdec.nelreports.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://client-api.arkoselabs.com/v2/api.js	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/Thraka	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/issues	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/PATENTS.txt	chromecache_187.5.dr, chromecache_180.5.dr	false	URL Reputation: safe	unknown
https://aka.ms/LFO_Events?wt.mc_id=esi_lfobannerevents_webpage_wwl	chromecache_161.5.dr, chromecache_159.5.dr	false		unknown
https://aka.ms/certhelp	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://www.linkedin.com/cws/share?url=$	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/ContentUserFeedback	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mairaw	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://schema.org	chromecache_180.5.dr	false	URL Reputation: safe	unknown
http://polymer.github.io/LICENSE.txt	chromecache_187.5.dr, chromecache_180.5.dr	false	URL Reputation: safe	unknown
https://github.com/Youssef1313	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/AUTHORS.txt	chromecache_187.5.dr, chromecache_180.5.dr	false	URL Reputation: safe	unknown
https://aka.ms/yourcaliforniaprivacychoices	chromecache_162.5.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/nschonni	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/DP600/Plan/LearnT2?ocid=fabric24-dp600plan_learnpromo_T2_ad	chromecache_161.5.dr, chromecache_159.5.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/adegeo	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/pshelpmechoose	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/feedback/report?space=61	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/jonschlinkert/is-plain-object	chromecache_187.5.dr, chromecache_180.5.dr	false		unknown
https://octokit.github.io/rest.js/#throttling	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/js-cookie/js-cookie	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://learn-video.azurefd.net/vod/player	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://twitter.com/intent/tweet?original_referer=$	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/$	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/gewarren	chromecache_162.5.dr	false	Avira URL Cloud: safe	unknown
http://schema.org/Organization	chromecache_162.5.dr	false	URL Reputation: safe	unknown
http://polymer.github.io/CONTRIBUTORS.txt	chromecache_187.5.dr, chromecache_180.5.dr	false	URL Reputation: safe	unknown
https://channel9.msdn.com/	chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://learn-video.azurefd.net/	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/try	chromecache_187.5.dr, chromecache_180.5.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
13.107.253.45	s-part-0017.t-0009.fb-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.107.253.42	s-part-0014.t-0009.fb-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.8

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481468
Start date and time:	2024-07-25 09:46:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002C_142.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@29/67@10/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.35, 2.19.246.123, 142.250.185.238, 74.125.133.84, 34.104.35.123, 95.101.150.2, 2.19.126.156, 2.19.126.137, 216.58.206.74, 172.217.16.138, 142.250.185.138, 142.250.185.74, 142.250.186.106, 172.217.23.106, 142.250.185.106, 172.217.18.10, 142.250.184.202, 142.250.185.202, 142.250.185.170, 142.250.186.74, 216.58.206.42, 142.250.181.234, 142.250.185.234, 142.250.186.42, 52.168.117.171, 192.229.221.95, 13.74.129.1, 13.107.21.237, 204.79.197.237, 52.168.117.169, 142.250.185.131, 142.250.185.206
Excluded domains from analysis (whitelisted): aijscdn2.afd.azureedge.net, azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, onedscolprdeus10.eastus.cloudapp.azure.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, a1883.dscd.akamai.net, onedscolprdeus16.eastus.cloudapp.azure.com, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, c-bing-com.dual-a-0034.a-msedge.net, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, aijscdn2.azureedge.net, browser.events.data.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, c.bing.com, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, dual-a-0034.a-msedge.ne
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: LisectAVT_2403002C_142.exe

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input

Output

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Perplexity: mixtral-8x7b-instruct

{"loginform": false,"urgency": false,"captcha": false,"reasons": ["The webpage does not contain a login form, as it does not request any sensitive information such as passwords, email addresses, usernames, phone numbers, or credit card numbers.","The text of the webpage does not create a sense of urgency, as it does not contain phrases such as 'Click here to view document', 'To view secured document click here', or 'Open the link to see your invoice'.","The webpage does not contain a CAPTCHA or any other anti-robot detection mechanism."]}

Title: Fix .NET Framework 'This application could not be started' - .NET Framework | Microsoft Learn OCR: Learn Q Sign in Discover v Product documentation Development languages v Topics v .NET Languages Features v Workloads Troubleshooting Resources v Download .NET APIs v Filter by title .NET / .NET Framework / Learn / .NET Framework documentation "This application could not be Overview of .NET Framework started" error when running a .NET Get started v Installation guide Framework application Overview For developers Article  02/16/2023  6 contributors Feedback > By OS version Repair .NET framework In this article v TroubleshcHJt How to fix the error Troubleshoot install end uninstall See also Troubleshoot 'This application could not started' When you attempt to run a .NET Framework application, you may receive the "This .NET Framework 3.5 on Windows 8 application could not be started" error message. When this error is caused by an installed through Windows 11 version of .NET Framework not being detected, or by .NET Framework being corrupted, use this article to try to solve that problem. .NET Framework 1.1 on Windows 8 through Windows 11 mt.exe - This application could not be started. > Migration guide Development guide This application could not be started, > Tools Do you want to view information about this issue? > Additional APIs > What's new and obsolete Code analysis Yes No Download PDF

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.42	https://protect-us.mimecast.com/s/FVibCzpzxLsxEMXAhgAOBC	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
	http://border-fd.smartertechnologies.com/	Get hash	malicious	Unknown	Browse	border-fd.smartertechnologies.com/
	https://protect-us.mimecast.com/s/4MrPCrkvgotDWxrNCzxa8p	Get hash	malicious	Unknown	Browse	www.mimecast.com/
239.255.255.250	https://gist.github.com/CreativeRoy/7405537df8cb20f60a08246a6093453b	Get hash	malicious	Coinhive, Xmrig	Browse
	https://gist.github.com/qiuxiuya/d1415f62623f8acf65dd0a4c1096b1e2	Get hash	malicious	Xmrig	Browse
	LisectAVT_2403002C_181.exe	Get hash	malicious	Revenge	Browse
	https://forms.office.com/Pages/ResponsePage.aspx?id=kAi_W0yZC0qQpKIHxTYoPxauHzsZJkZMuCk5U9e1Y4RUNFlCMDNQTTdIRTdLV0dKQ1lOUjJYQjg4Si4u&origin=Invitation&channel=0	Get hash	malicious	HTMLPhisher	Browse
	LisectAVT_2403002C_66.exe	Get hash	malicious	Unknown	Browse
	Sol Distribution - SO-SBES3039324 - - PO52880.eml	Get hash	malicious	Unknown	Browse
	https://drive.google.com/file/d/18uQaHuJAdR5xS3lALDyDJ0z0B_5vCmVE/view?usp=drivesdk	Get hash	malicious	Unknown	Browse
	http://oopb.juhrtjao.shop/	Get hash	malicious	Unknown	Browse
	http://www.dpm.gov.pg	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse
13.107.253.42	https://cdp3.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNzJlOTY4NTBhOWZiNGE2ZWE0MGY0N2JjMzQ0NzQxOWIiLCJjcmVhdGlvbl90aW1lIjoxNzIxNzI5NzE0LCJtZXNzYWdlX2lkIjoiMGhtbWRwZ3d4ejU5cTJiZzU4eWRhem01I2ViOTU2OGFlLTUxMDEtNDRmOC1iYmM1LWNkYjdhMTU0MmZhOCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzUzMjY1NzE0LCJyZWRpcmVjdF91cmwiOiJodHRwczovL21hY3Bob3RvZ3JhcGh5Lm9yZyIsImluZGl2aWR1YWxfaWQiOiIwMFFhbTAwMDAwQTVaYzVFQUYifQ.n1MJx5qXzIyes_2paKdgiE1L8vPLZY6s0PjxhlIpfl0	Get hash	malicious	HTMLPhisher	Browse
	PO N#U00b0202415-0004 CULTER-ASSOCIETES_pdf.exe	Get hash	malicious	AgentTesla	Browse
	https://emea.dcv.ms/mWYAaJ9Es5VL5xBm8gooqYiMKijC0p?owla=rlKBhvBq	Get hash	malicious	HTMLPhisher	Browse
	PowerShell101 (AutoRecovered).docx	Get hash	malicious	Unknown	Browse
	https://emurzhun.com/loop/Untitled/?id=84hsi4&p=page_1&c=1	Get hash	malicious	Unknown	Browse
	https://www.cognitoforms.com/Hhg3/PowerAdhesivesLtd	Get hash	malicious	Unknown	Browse
	Perfomance_Evalution.docx	Get hash	malicious	HTMLPhisher	Browse
	RFQ - From Arcadia Aerospace Industries Entry CodeRBW51-PU5Y-9A5R.html	Get hash	malicious	HTMLPhisher	Browse
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
13.107.253.45	2FF72350C5FE5280B47181095F061645E0B9F11833A7659408580240556FEA61.exe	Get hash	malicious	Unknown	Browse
	http://link.mail.beehiiv.com/ss/c/u001.6C5fb2jgNhK_7sih4vM3VZa9fE9tHBc9fWZLirgY7_MATRo7_qx7xDq5ZlnkMcO1QobynJ6PiItP4Wtcapt8tiaBcTbWM1w1MHuIiN_t_ffA_hJhmN8MgAW_Y4IPUoI18R3nDq7jKhCU2UyzKyGI-WqX2eqj-24lz37CpJQS3GK6BrMVhay0EFgw7CotaqH_C4NeRs-Js1jFAgB-bC5fNuJsXIDVbqNxP8z0vJ5voWsqHFmAhBhiDboOh3SaB-W0Q5R0-uHhyR22-eNa4lM2dEMKEW-Uy_fmTStthhgMkN4s--utxh_CoRNop7H6ZS1KTlU8MhyHYw0Xczv8AC7SmYR5LDaG03-YqHtdniUuPK3bJken9x2qXEhtO3XWDwy5/489/-BrXoE3aRI6JP48kxPJ6yg/h6/h001.YHI9KXXSnEtAYI6X6AzK5QT189WwD3EM6jWgGhu4Mzw#MARKUS.LINGNAU@GATX.EU	Get hash	malicious	HTMLPhisher	Browse
	https://ashcroftinc-my.sharepoint.com/:o:/g/personal/jim_beecher_ashcroft_com/EbmeA-1APhZIkfAOSWvb8lgB2-ZnHrxyDgNCs9XUSwGk3g?e=4%3auSlIHZ&at=9&xsdata=MDV8MDJ8aXRzdXBwb3J0QHRoZXJtb3N5c3RlbXMuY29tfGRlOGQ2MzFhYjQwZDQzNDU5OWQ4MDhkY2E1MDBlNGFkfDk1NTFjNjI5ODMzODQ2NTY4ZWFlY2U5OWYwNTU5NmM3fDB8MHw2Mzg1NjY2NzA0NzEwNTA4NzN8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=Q09aWmloVTZraXovREJ3SGgrWHFSV0MwTnQzRWthcksxUloxa0tMNWZkTT0%3d	Get hash	malicious	HTMLPhisher	Browse
	img_Zam#U00f3wienie - #20240716-A09461_pdf.com.exe	Get hash	malicious	AgentTesla	Browse
	https://midlandcomputerscouk.sharepoint.com/sites/Website/_layouts/15/AccessDenied.aspx?Source=https%3A%2F%2Fmidlandcomputerscouk%2Esharepoint%2Ecom%2Fsites%2FWebsite%3FuserExpiration%3D1%26p%3Dtrue&correlation=40d13ca1%2D20b5%2D9000%2D6a3f%2D58c0ad0360af	Get hash	malicious	Unknown	Browse
	https://1drv.ms/o/s!At-8sPpRzvxIqQDSUMWIAACun1sr?e=FTp3hr	Get hash	malicious	HTMLPhisher	Browse
	https://www.winhelponline.com/blog/microsoft-edge-url-shortcut/	Get hash	malicious	HTMLPhisher	Browse
	ACH Receipt.html	Get hash	malicious	HTMLPhisher	Browse
	Play____Now_AUD__autoresponse.htm	Get hash	malicious	Unknown	Browse
	Copy of Stonhard_BulkImageRefFileTemplate (version 1).eml	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0014.t-0009.t-msedge.net	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://emea.dcv.ms/V1nd75OZS4	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	Lisect_AVT_24003_G1A_59.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	Lisect_AVT_24003_G1A_76.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	Lisect_AVT_24003_G1A_62.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	Lisect_AVT_24003_G1A_46.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	LisectAVT_2403002B_493.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	Lisect_AVT_24003_G1A_49.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	LisectAVT_2403002A_61.exe	Get hash	malicious	Ramnit	Browse	13.107.246.42
	LisectAVT_2403002A_270.exe	Get hash	malicious	BlackMoon	Browse	13.107.246.42
s-part-0017.t-0009.fb-t-msedge.net	2FF72350C5FE5280B47181095F061645E0B9F11833A7659408580240556FEA61.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	http://link.mail.beehiiv.com/ss/c/u001.6C5fb2jgNhK_7sih4vM3VZa9fE9tHBc9fWZLirgY7_MATRo7_qx7xDq5ZlnkMcO1QobynJ6PiItP4Wtcapt8tiaBcTbWM1w1MHuIiN_t_ffA_hJhmN8MgAW_Y4IPUoI18R3nDq7jKhCU2UyzKyGI-WqX2eqj-24lz37CpJQS3GK6BrMVhay0EFgw7CotaqH_C4NeRs-Js1jFAgB-bC5fNuJsXIDVbqNxP8z0vJ5voWsqHFmAhBhiDboOh3SaB-W0Q5R0-uHhyR22-eNa4lM2dEMKEW-Uy_fmTStthhgMkN4s--utxh_CoRNop7H6ZS1KTlU8MhyHYw0Xczv8AC7SmYR5LDaG03-YqHtdniUuPK3bJken9x2qXEhtO3XWDwy5/489/-BrXoE3aRI6JP48kxPJ6yg/h6/h001.YHI9KXXSnEtAYI6X6AzK5QT189WwD3EM6jWgGhu4Mzw#MARKUS.LINGNAU@GATX.EU	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://ashcroftinc-my.sharepoint.com/:o:/g/personal/jim_beecher_ashcroft_com/EbmeA-1APhZIkfAOSWvb8lgB2-ZnHrxyDgNCs9XUSwGk3g?e=4%3auSlIHZ&at=9&xsdata=MDV8MDJ8aXRzdXBwb3J0QHRoZXJtb3N5c3RlbXMuY29tfGRlOGQ2MzFhYjQwZDQzNDU5OWQ4MDhkY2E1MDBlNGFkfDk1NTFjNjI5ODMzODQ2NTY4ZWFlY2U5OWYwNTU5NmM3fDB8MHw2Mzg1NjY2NzA0NzEwNTA4NzN8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=Q09aWmloVTZraXovREJ3SGgrWHFSV0MwTnQzRWthcksxUloxa0tMNWZkTT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	img_Zam#U00f3wienie - #20240716-A09461_pdf.com.exe	Get hash	malicious	AgentTesla	Browse	13.107.253.45
	https://midlandcomputerscouk.sharepoint.com/sites/Website/_layouts/15/AccessDenied.aspx?Source=https%3A%2F%2Fmidlandcomputerscouk%2Esharepoint%2Ecom%2Fsites%2FWebsite%3FuserExpiration%3D1%26p%3Dtrue&correlation=40d13ca1%2D20b5%2D9000%2D6a3f%2D58c0ad0360af	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://1drv.ms/o/s!At-8sPpRzvxIqQDSUMWIAACun1sr?e=FTp3hr	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	ACH Receipt.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	Play____Now_AUD__autoresponse.htm	Get hash	malicious	Unknown	Browse	13.107.253.45
	Copy of Stonhard_BulkImageRefFileTemplate (version 1).eml	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://www.baidu.com/link?url=AFUg5ImByRbRDFqEAwVY_yQvqKKQI0Z9CKlSAojfE3k4FpO2skeOBycThw4wTQJI&wd=YWdyZWdvaXJlQGNvbW11bml0eWZvY3VzZmN1Lm9yZw==&eqid=ukEwxUaNVofiahyjoYydlLeVsGpoQBLJyZiHAGvxPtreMNMzHg	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
s-part-0014.t-0009.fb-t-msedge.net	https://cdp3.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNzJlOTY4NTBhOWZiNGE2ZWE0MGY0N2JjMzQ0NzQxOWIiLCJjcmVhdGlvbl90aW1lIjoxNzIxNzI5NzE0LCJtZXNzYWdlX2lkIjoiMGhtbWRwZ3d4ejU5cTJiZzU4eWRhem01I2ViOTU2OGFlLTUxMDEtNDRmOC1iYmM1LWNkYjdhMTU0MmZhOCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzUzMjY1NzE0LCJyZWRpcmVjdF91cmwiOiJodHRwczovL21hY3Bob3RvZ3JhcGh5Lm9yZyIsImluZGl2aWR1YWxfaWQiOiIwMFFhbTAwMDAwQTVaYzVFQUYifQ.n1MJx5qXzIyes_2paKdgiE1L8vPLZY6s0PjxhlIpfl0	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	PO N#U00b0202415-0004 CULTER-ASSOCIETES_pdf.exe	Get hash	malicious	AgentTesla	Browse	13.107.253.42
	https://emea.dcv.ms/mWYAaJ9Es5VL5xBm8gooqYiMKijC0p?owla=rlKBhvBq	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	PowerShell101 (AutoRecovered).docx	Get hash	malicious	Unknown	Browse	13.107.253.42
	https://emurzhun.com/loop/Untitled/?id=84hsi4&p=page_1&c=1	Get hash	malicious	Unknown	Browse	13.107.253.42
	https://www.cognitoforms.com/Hhg3/PowerAdhesivesLtd	Get hash	malicious	Unknown	Browse	13.107.253.42
	Perfomance_Evalution.docx	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	RFQ - From Arcadia Aerospace Industries Entry CodeRBW51-PU5Y-9A5R.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	https://control.gruptelevisio.com/getimg.php?l=https://yapidonusum.com/accoTxunts2APthI1AnkoTx4RAcha4RA4DCz01coTxm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	CWS610973I4SC2024.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	LisectAVT_2403002C_181.exe	Get hash	malicious	Revenge	Browse	13.107.246.60
	LisectAVT_2403002C_44.exe	Get hash	malicious	EICAR	Browse	13.89.179.12
	KolataFixed.exe	Get hash	malicious	Unknown	Browse	20.199.16.17
	KolataFixed.exe	Get hash	malicious	Unknown	Browse	20.199.16.17
	LisectAVT_2403002C_69.exe	Get hash	malicious	Unknown	Browse	52.123.243.85
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	Remittance advice.htm	Get hash	malicious	Unknown	Browse	20.13.96.71
	Lisect_AVT_24003_G1B_6.exe	Get hash	malicious	Unknown	Browse	20.205.229.222
	Lisect_AVT_24003_G1B_6.exe	Get hash	malicious	Unknown	Browse	20.205.229.222
MICROSOFT-CORP-MSN-AS-BLOCKUS	CWS610973I4SC2024.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	LisectAVT_2403002C_181.exe	Get hash	malicious	Revenge	Browse	13.107.246.60
	LisectAVT_2403002C_44.exe	Get hash	malicious	EICAR	Browse	13.89.179.12
	KolataFixed.exe	Get hash	malicious	Unknown	Browse	20.199.16.17
	KolataFixed.exe	Get hash	malicious	Unknown	Browse	20.199.16.17
	LisectAVT_2403002C_69.exe	Get hash	malicious	Unknown	Browse	52.123.243.85
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	Remittance advice.htm	Get hash	malicious	Unknown	Browse	20.13.96.71
	Lisect_AVT_24003_G1B_6.exe	Get hash	malicious	Unknown	Browse	20.205.229.222
	Lisect_AVT_24003_G1B_6.exe	Get hash	malicious	Unknown	Browse	20.205.229.222
MICROSOFT-CORP-MSN-AS-BLOCKUS	CWS610973I4SC2024.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	LisectAVT_2403002C_181.exe	Get hash	malicious	Revenge	Browse	13.107.246.60
	LisectAVT_2403002C_44.exe	Get hash	malicious	EICAR	Browse	13.89.179.12
	KolataFixed.exe	Get hash	malicious	Unknown	Browse	20.199.16.17
	KolataFixed.exe	Get hash	malicious	Unknown	Browse	20.199.16.17
	LisectAVT_2403002C_69.exe	Get hash	malicious	Unknown	Browse	52.123.243.85
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	Remittance advice.htm	Get hash	malicious	Unknown	Browse	20.13.96.71
	Lisect_AVT_24003_G1B_6.exe	Get hash	malicious	Unknown	Browse	20.205.229.222
	Lisect_AVT_24003_G1B_6.exe	Get hash	malicious	Unknown	Browse	20.205.229.222

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://gist.github.com/CreativeRoy/7405537df8cb20f60a08246a6093453b	Get hash	malicious	Coinhive, Xmrig	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	https://gist.github.com/qiuxiuya/d1415f62623f8acf65dd0a4c1096b1e2	Get hash	malicious	Xmrig	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	LisectAVT_2403002C_181.exe	Get hash	malicious	Revenge	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	https://forms.office.com/Pages/ResponsePage.aspx?id=kAi_W0yZC0qQpKIHxTYoPxauHzsZJkZMuCk5U9e1Y4RUNFlCMDNQTTdIRTdLV0dKQ1lOUjJYQjg4Si4u&origin=Invitation&channel=0	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	LisectAVT_2403002C_66.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	Sol Distribution - SO-SBES3039324 - - PO52880.eml	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	https://drive.google.com/file/d/18uQaHuJAdR5xS3lALDyDJ0z0B_5vCmVE/view?usp=drivesdk	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	http://oopb.juhrtjao.shop/	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	http://www.dpm.gov.pg	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.12.23.50
	Lisect_AVT_24003_G1A_33.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.12.23.50

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jul 25 06:47:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988875670508166
Encrypted:	false
SSDEEP:	48:81K0dsQTM0hDbYEHgidAKZdA1oehwiZUklqehny+3:81KRQYODbBUy
MD5:	873CE71EE1333F7F64018A3AB38CC034
SHA1:	9AA10E07C8C63A621131701AA7FE0410D85F91D3
SHA-256:	A6BA81B35D86BF43FE79DA0CD9F32AF3949A44DC84BF4844FF04793490EF7050
SHA-512:	4608676A5BD3AF8C2D7FBD87373EF2B69EF563CB4538D4DE87364D48AC50767E567CDC5B6423119845A30CB30F7726E72616F2646030317222BBFAF806BDAA4D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,........f...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.=....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.=....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.=....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.=..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.=...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............q"......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.87969851994072
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002C_142.exe
File size:	112'128 bytes
MD5:	01da9ea1cc55c02a1755b20a4ec69f05
SHA1:	1e2d88fc38f6afbde00ce873c2325c8d0c327879
SHA256:	e10057cbc98b12819a4a3a41f68281398a3f18f0a411019e7f069b31a11395fc
SHA512:	d005b838b5905ab8f10b7b6e581f976879d518a6c714722a64e0551b25b3a4793d8a696e8ffeb316e0893284886285a28007310c549b795e7bd9900c4439c05b
SSDEEP:	1536:LgxOx6baIa9RZj00ljEwzGi1dD8DlgSg2GCq2iW7z:LgxbaIa93jNSi1dCyMGCH
TLSH:	61B3084977E42424E4BF56F79871F2004F34B4871642E39E49F259AB1A33AC44F89EEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?\|.f................................. ........@.. ....................... ............@................................

Entrypoint:	0x41c000
Entrypoint Section:	>\|u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66007C3F [Sun Mar 24 19:17:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ea8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16f04	0x17000	32d67fdac305711b4aeb32f409a975b5	False	0.3680579144021739	data	5.591546860496406	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	02466978873e232bef309f048b95192f	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
>\|u	0x1c000	0x6000	0x4200	973ec8a3a78ff4be698f3b3a8e2ee1b7	False	0.7774621212121212	data	6.934439630498995	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T09:47:57.186261+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49726	95.101.150.2	192.168.2.8
2024-07-25T09:47:59.822671+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49737	95.101.150.2	192.168.2.8
2024-07-25T09:47:59.844808+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49737	95.101.150.2	192.168.2.8
2024-07-25T09:48:40.834189+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	60450	20.12.23.50	192.168.2.8
2024-07-25T09:47:58.111870+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49726	95.101.150.2	192.168.2.8
2024-07-25T09:47:56.967085+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49726	95.101.150.2	192.168.2.8
2024-07-25T09:48:00.029513+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49737	95.101.150.2	192.168.2.8
2024-07-25T09:48:00.949369+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49737	95.101.150.2	192.168.2.8
2024-07-25T09:47:58.111882+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49726	95.101.150.2	192.168.2.8
2024-07-25T09:47:56.999296+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49726	95.101.150.2	192.168.2.8
2024-07-25T09:48:02.551404+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49760	40.68.123.157	192.168.2.8
2024-07-25T09:48:00.949372+0200	TCP	2012510	ET SHELLCODE UTF-8/16 Encoded Shellcode	443	49737	95.101.150.2	192.168.2.8

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 09:47:50.809377909 CEST	53	58524	1.1.1.1	192.168.2.8
Jul 25, 2024 09:47:50.817761898 CEST	53	50605	1.1.1.1	192.168.2.8
Jul 25, 2024 09:47:51.995273113 CEST	53	65253	1.1.1.1	192.168.2.8
Jul 25, 2024 09:47:53.788778067 CEST	50376	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:53.788988113 CEST	64884	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:54.903347015 CEST	51468	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:54.903595924 CEST	60085	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:55.010911942 CEST	53	51468	1.1.1.1	192.168.2.8
Jul 25, 2024 09:47:55.011104107 CEST	53	60085	1.1.1.1	192.168.2.8
Jul 25, 2024 09:47:55.776076078 CEST	64359	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:55.776192904 CEST	55595	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:56.932029963 CEST	58561	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:47:56.932161093 CEST	62558	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:48:01.309175014 CEST	53	53453	1.1.1.1	192.168.2.8
Jul 25, 2024 09:48:09.176326036 CEST	53	51328	1.1.1.1	192.168.2.8
Jul 25, 2024 09:48:16.258554935 CEST	53	63875	1.1.1.1	192.168.2.8
Jul 25, 2024 09:48:30.812012911 CEST	138	138	192.168.2.8	192.168.2.255
Jul 25, 2024 09:48:50.253880978 CEST	53	57414	1.1.1.1	192.168.2.8
Jul 25, 2024 09:48:53.776052952 CEST	61576	53	192.168.2.8	1.1.1.1
Jul 25, 2024 09:48:53.776269913 CEST	51309	53	192.168.2.8	1.1.1.1

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 25, 2024 09:47:52.137048006 CEST	192.168.2.8	1.1.1.1	c2e7	(Port unreachable)	Destination Unreachable
Jul 25, 2024 09:48:53.795216084 CEST	192.168.2.8	1.1.1.1	c279	(Port unreachable)	Destination Unreachable

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 09:47:53.796262026 CEST	1.1.1.1	192.168.2.8	0xd7c7	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:53.798755884 CEST	1.1.1.1	192.168.2.8	0x1c6a	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:55.010911942 CEST	1.1.1.1	192.168.2.8	0xd4a9	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:47:55.011104107 CEST	1.1.1.1	192.168.2.8	0x81aa	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 25, 2024 09:47:55.784791946 CEST	1.1.1.1	192.168.2.8	0xe1b5	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:55.784791946 CEST	1.1.1.1	192.168.2.8	0xe1b5	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:55.784791946 CEST	1.1.1.1	192.168.2.8	0xe1b5	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:47:55.784898996 CEST	1.1.1.1	192.168.2.8	0xd7ec	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:55.784898996 CEST	1.1.1.1	192.168.2.8	0xd7ec	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:55.784898996 CEST	1.1.1.1	192.168.2.8	0xd7ec	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:47:55.784941912 CEST	1.1.1.1	192.168.2.8	0xd270	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:55.785100937 CEST	1.1.1.1	192.168.2.8	0x34e5	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.753951073 CEST	1.1.1.1	192.168.2.8	0xf6e8	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.753951073 CEST	1.1.1.1	192.168.2.8	0xf6e8	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.753951073 CEST	1.1.1.1	192.168.2.8	0xf6e8	No error (0)	dual.s-part-0014.t-0009.fb-t-msedge.net	s-part-0014.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.753951073 CEST	1.1.1.1	192.168.2.8	0xf6e8	No error (0)	s-part-0014.t-0009.fb-t-msedge.net		13.107.253.42	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:47:56.759603024 CEST	1.1.1.1	192.168.2.8	0x4427	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.939085007 CEST	1.1.1.1	192.168.2.8	0x1af7	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.939085007 CEST	1.1.1.1	192.168.2.8	0x1af7	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.939085007 CEST	1.1.1.1	192.168.2.8	0x1af7	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:47:56.939085007 CEST	1.1.1.1	192.168.2.8	0x1af7	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:47:56.940375090 CEST	1.1.1.1	192.168.2.8	0x935d	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:48:02.540080070 CEST	1.1.1.1	192.168.2.8	0xf567	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:48:02.542083979 CEST	1.1.1.1	192.168.2.8	0x64d6	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:48:06.044871092 CEST	1.1.1.1	192.168.2.8	0x97e7	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:48:06.044914007 CEST	1.1.1.1	192.168.2.8	0x5ddc	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:48:53.783736944 CEST	1.1.1.1	192.168.2.8	0xd539	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 09:48:53.795115948 CEST	1.1.1.1	192.168.2.8	0xeb44	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:47:56 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-25 07:47:56 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF4C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=30117 Date: Thu, 25 Jul 2024 07:47:56 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:47:56 UTC	551	OUT	GET /mscc/lib/v2/wcp-consent.js HTTP/1.1 Host: wcpstatic.microsoft.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-25 07:47:56 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:47:56 GMT Content-Type: application/javascript Content-Length: 52717 Connection: close Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding Age: 2546 Cache-Control: max-age=43200 Content-MD5: QT/MdZzBmCG2G2lBgIsptQ== Etag: 0x8DA85F6F74C6D08 Last-Modified: Wed, 24 Aug 2022 17:34:58 GMT Vary: Accept-Encoding X-Cache: CONFIG_NOCACHE x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: c453384c-901e-000b-3e61-de3bb4000000 x-ms-version: 2009-09-19 x-azure-ref: 20240725T074756Z-15b94bb6ff9hzj67et992uy4mg00000002zg00000000chf8 Accept-Ranges: bytes
2024-07-25 07:47:56 UTC	15672	IN	Data Raw: 76 61 72 20 57 63 70 43 6f 6e 73 65 6e 74 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 7b 32 32 39 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2c 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6f 28 6e 29 7b 69 66 28 74 5b 6e 5d 29 72 65 74 75 72 6e 20 74 5b 6e 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 72 3d 74 5b 6e 5d 3d 7b 69 3a 6e 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 6e 5d 2e 63 61 6c 6c 28 72 2e 65 78 70 6f 72 74 73 2c 72 2c 72 2e 65 78 70 6f 72 74 73 2c 6f 29 2c 72 2e 6c 3d 21 30 2c 72 2e 65 78 70 6f 72 74 73 7d 72 65 74 75 72 6e 20 6f 2e 6d 3d 65 2c 6f 2e 63 3d 74 2c 6f 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 Data Ascii: var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e
2024-07-25 07:47:56 UTC	711	IN	Data Raw: 7b 72 65 74 75 72 6e 20 65 3f 65 2e 72 65 70 6c 61 63 65 28 2f 26 2f 67 2c 22 26 61 6d 70 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3c 2f 67 2c 22 26 6c 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3e 2f 67 2c 22 26 67 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 22 2f 67 2c 22 26 71 75 6f 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 27 2f 67 2c 22 26 23 30 33 39 3b 22 29 3a 22 22 7d 2c 65 7d 28 29 2c 61 3d 6e 2e 6c 6f 63 61 6c 73 2c 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 65 2c 74 2c 6f 2c 6e 2c 72 2c 69 2c 61 29 7b 74 68 69 73 2e 64 69 72 65 63 74 69 6f 6e 3d 22 6c 74 72 22 2c 74 68 69 73 2e 70 72 65 76 69 6f 75 73 46 6f 63 75 73 45 6c 65 6d 65 6e 74 42 65 66 6f 72 65 50 6f 70 75 70 3d 6e 75 6c 6c 2c 74 68 69 73 2e 63 6f 6f 6b 69 65 Data Ascii: {return e?e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'"):""},e}(),a=n.locals,l=function(){function e(e,t,o,n,r,i,a){this.direction="ltr",this.previousFocusElementBeforePopup=null,this.cookie
2024-07-25 07:47:56 UTC	16383	IN	Data Raw: 61 2d 6c 61 62 65 6c 3d 22 27 2b 69 2e 65 73 63 61 70 65 48 74 6d 6c 28 74 68 69 73 2e 74 65 78 74 52 65 73 6f 75 72 63 65 73 2e 70 72 65 66 65 72 65 6e 63 65 73 44 69 61 6c 6f 67 43 6c 6f 73 65 4c 61 62 65 6c 29 2b 27 22 20 63 6c 61 73 73 3d 22 27 2b 61 2e 63 6c 6f 73 65 4d 6f 64 61 6c 49 63 6f 6e 2b 27 22 20 74 61 62 69 6e 64 65 78 3d 22 30 22 3e 26 23 78 32 37 31 35 3b 3c 2f 62 75 74 74 6f 6e 3e 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 72 6f 6c 65 3d 22 64 6f 63 75 6d 65 6e 74 22 20 63 6c 61 73 73 3d 22 27 2b 61 2e 6d 6f 64 61 6c 42 6f 64 79 2b 27 22 3e 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 3e 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 27 2b 61 2e 6d 6f Data Ascii: a-label="'+i.escapeHtml(this.textResources.preferencesDialogCloseLabel)+'" class="'+a.closeModalIcon+'" tabindex="0">✕</button>\n <div role="document" class="'+a.modalBody+'">\n <div>\n <h1 class="'+a.mo
2024-07-25 07:47:56 UTC	16383	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 7d 2c 65 7d 28 29 2c 64 3d 5b 22 61 72 22 2c 22 68 65 22 2c 22 70 73 22 2c 22 75 72 22 2c 22 66 61 22 2c 22 70 61 22 2c 22 73 64 22 2c 22 74 6b 22 2c 22 75 67 22 2c 22 79 69 22 2c 22 73 79 72 22 2c 22 6b 73 2d 61 72 61 62 22 5d 2c 75 3d 7b 22 63 6c 6f 73 65 2d 62 75 74 74 6f 6e 2d 63 6f 6c 6f 72 22 3a 22 23 36 36 36 36 36 36 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 6f 70 61 63 69 74 79 22 3a 22 31 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f Data Ascii: background-color: "+e["radio-button-disabled-color"]+" !important;\n }"},e}(),d=["ar","he","ps","ur","fa","pa","sd","tk","ug","yi","syr","ks-arab"],u={"close-button-color":"#666666","secondary-button-disabled-opacity":"1","secondary-butto
2024-07-25 07:47:56 UTC	3568	IN	Data Raw: 74 28 22 2d 22 29 5b 30 5d 3b 6f 3d 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3d 3d 3d 6e 7d 72 65 74 75 72 6e 20 6f 7d 28 65 2c 63 29 7d 29 29 3b 73 26 26 30 3d 3d 3d 73 2e 6c 65 6e 67 74 68 26 26 28 65 3d 22 65 6e 2d 55 53 22 29 2c 6f 2e 70 6c 61 63 65 68 6f 6c 64 65 72 45 6c 65 6d 65 6e 74 3d 6c 2c 72 26 26 6f 2e 63 6f 6e 73 65 6e 74 43 68 61 6e 67 65 64 43 61 6c 6c 62 61 63 6b 73 2e 72 65 67 69 73 74 65 72 43 61 6c 6c 62 61 63 6b 28 72 29 2c 6f 2e 73 61 76 65 43 6f 6f 6b 69 65 28 29 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 3d 6e 65 77 20 66 28 21 31 29 2c 6e 75 6c 6c 3d 3d 6e 7c 7c 6e 28 76 6f 69 64 20 30 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 29 2c 6f 2e 69 73 49 6e 69 74 52 65 61 64 79 3d 21 30 2c 74 68 69 73 2e 63 6f 6e 73 65 6e 74 43 68 61 Data Ascii: t("-")[0];o=e.split("-")[0]===n}return o}(e,c)}));s&&0===s.length&&(e="en-US"),o.placeholderElement=l,r&&o.consentChangedCallbacks.registerCallback(r),o.saveCookie(),o.siteConsent=new f(!1),null==n\|\|n(void 0,o.siteConsent),o.isInitReady=!0,this.consentCha

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:47:56 UTC	549	OUT	GET /scripts/c/ms.jsll-4.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-25 07:47:56 UTC	958	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:47:56 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 206998 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: no-transform, public, max-age=1800, immutable Last-Modified: Mon, 15 Jul 2024 17:38:35 GMT ETag: 0x8DCA4F4F47351DF x-ms-request-id: bd54a350-101e-00a5-0729-dd7893000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 4.3.0 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-4.3.0.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240725T074756Z-15b94bb6ff9jvw8lyyuzzsv82w00000001g000000000aeey x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-07-25 07:47:56 UTC	15426	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 34 2e 33 2e 30 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 Data Ascii: /! 1DS JSLL SKU, 4.3.0 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&defi
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 66 65 28 22 63 6f 6e 73 6f 6c 65 22 29 29 26 26 28 72 2e 65 72 72 6f 72 7c 7c 72 2e 6c 6f 67 29 28 74 2c 61 65 28 69 29 29 29 29 7d 78 65 28 61 3d 7b 74 68 65 6e 3a 6f 2c 22 63 61 74 63 68 22 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6f 28 75 6e 64 65 66 69 6e 65 64 2c 65 29 7d 2c 22 66 69 6e 61 6c 6c 79 22 3a 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 2c 6e 3d 74 3b 72 65 74 75 72 6e 20 51 28 74 29 26 26 28 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 26 26 74 28 29 2c 65 7d 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 74 26 26 74 28 29 2c 65 7d 29 2c 6f 28 65 2c 6e 29 7d 7d 2c 22 73 74 61 74 65 22 2c 7b 67 65 74 3a 64 7d 29 2c 6d 74 28 29 26 26 28 61 5b 79 74 28 31 31 29 5d 3d 22 49 Data Ascii: fe("console"))&&(r.error\|\|r.log)(t,ae(i))))}xe(a={then:o,"catch":function(e){return o(undefined,e)},"finally":function(t){var e=t,n=t;return Q(t)&&(e=function(e){return t&&t(),e},n=function(e){throw t&&t(),e}),o(e,n)}},"state",{get:d}),mt()&&(a[yt(11)]="I
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 2c 6e 2e 68 3d 6e 2e 68 7c 7c 72 6e 28 73 63 2c 30 2c 6e 29 29 3a 4c 28 72 2c 5b 65 5d 29 29 7d 29 7d 64 63 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 66 63 3d 64 63 3b 66 75 6e 63 74 69 6f 6e 20 64 63 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 65 6e 65 72 73 3d 5b 5d 3b 76 61 72 20 6e 2c 69 3d 5b 5d 2c 61 3d 7b 68 3a 6e 75 6c 6c 2c 63 62 3a 5b 5d 7d 2c 6f 3d 6c 6f 28 65 2c 75 63 29 5b 47 6e 5d 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 3d 21 21 65 2e 63 66 67 2e 70 65 72 66 45 76 74 73 53 65 6e 64 41 6c 6c 7d 29 3b 76 65 28 64 63 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 59 28 65 2c 22 6c 69 73 74 65 6e 65 72 73 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 69 7d 7d 29 2c 65 5b 74 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 29 Data Ascii: ,n.h=n.h\|\|rn(sc,0,n)):L(r,[e]))})}dc.__ieDyn=1;var fc=dc;function dc(e){this.listeners=[];var n,i=[],a={h:null,cb:[]},o=lo(e,uc)[Gn](function(e){n=!!e.cfg.perfEvtsSendAll});ve(dc,this,function(e){Y(e,"listeners",{g:function(){return i}}),e[tr]=function(e)
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 28 61 29 7d 2c 36 2c 6e 29 2c 69 7d 2c 66 5b 63 72 5d 3d 73 2c 66 2e 61 64 64 50 6c 75 67 69 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 69 66 28 21 65 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 6e 75 29 3b 76 61 72 20 69 3d 73 28 65 5b 5a 6e 5d 29 3b 69 66 28 69 26 26 21 74 29 72 65 74 75 72 6e 20 72 26 26 72 28 21 31 29 2c 76 6f 69 64 20 43 28 22 50 6c 75 67 69 6e 20 5b 22 2b 65 5b 5a 6e 5d 2b 22 5d 20 69 73 20 61 6c 72 65 61 64 79 20 6c 6f 61 64 65 64 21 22 29 3b 76 61 72 20 61 2c 6f 3d 7b 72 65 61 73 6f 6e 3a 31 36 7d 3b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 41 5b 74 65 5d 28 65 29 2c 6f 2e 61 64 64 65 64 3d 5b 65 5d 2c 67 28 6f 29 2c 72 26 26 72 28 21 30 29 7d 69 3f 76 28 61 3d 5b 69 2e 70 6c 75 67 69 6e Data Ascii: (a)},6,n),i},f[cr]=s,f.addPlugin=function(e,t,n,r){if(!e)return r&&r(!1),void C(nu);var i=s(e[Zn]);if(i&&!t)return r&&r(!1),void C("Plugin ["+e[Zn]+"] is already loaded!");var a,o={reason:16};function c(){A[te](e),o.added=[e],g(o),r&&r(!0)}i?v(a=[i.plugin
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 73 5d 28 29 2c 6e 3d 66 65 28 65 3d 3d 3d 43 6c 2e 4c 6f 63 61 6c 53 74 6f 72 61 67 65 3f 22 6c 6f 63 61 6c 53 74 6f 72 61 67 65 22 3a 22 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 22 29 2c 72 3d 54 6c 2b 74 2c 69 3d 28 6e 2e 73 65 74 49 74 65 6d 28 72 2c 74 29 2c 6e 2e 67 65 74 49 74 65 6d 28 72 29 21 3d 3d 74 29 3b 69 66 28 6e 5b 77 73 5d 28 72 29 2c 21 69 29 72 65 74 75 72 6e 20 6e 7d 63 61 74 63 68 28 61 29 7b 7d 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 66 75 6e 63 74 69 6f 6e 20 45 6c 28 29 7b 72 65 74 75 72 6e 20 5f 6c 28 29 3f 49 6c 28 43 6c 2e 53 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 29 3a 6e 75 6c 6c 7d 66 75 6e 63 74 69 6f 6e 20 5f 6c 28 65 29 7b 72 65 74 75 72 6e 20 62 6c 3d 65 7c 7c 62 6c 3d 3d 3d 75 6e 64 65 66 69 6e 65 64 3f 21 21 49 6c 28 43 6c Data Ascii: s](),n=fe(e===Cl.LocalStorage?"localStorage":"sessionStorage"),r=Tl+t,i=(n.setItem(r,t),n.getItem(r)!==t);if(n[ws](r),!i)return n}catch(a){}return null}function El(){return _l()?Il(Cl.SessionStorage):null}function _l(e){return bl=e\|\|bl===undefined?!!Il(Cl
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 72 6e 20 6f 7d 7d 29 2c 59 28 65 2c 22 70 61 67 65 56 69 73 69 74 54 69 6d 65 54 72 61 63 6b 69 6e 67 48 61 6e 64 6c 65 72 22 2c 7b 67 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 7d 7d 29 7d 29 7d 76 61 72 20 45 64 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 68 69 73 5b 6c 64 5d 3d 4f 74 28 29 2c 74 68 69 73 2e 70 61 67 65 4e 61 6d 65 3d 65 2c 74 68 69 73 2e 70 61 67 65 55 72 6c 3d 74 7d 2c 5f 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 65 29 7b 76 61 72 20 6f 3d 74 68 69 73 2c 63 3d 7b 7d 3b 6f 2e 73 74 61 72 74 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 63 5b 65 5d 26 26 6d 65 28 61 2c 32 2c 36 32 2c 22 73 74 61 72 74 20 77 61 73 20 63 61 6c 6c 65 64 20 6d 6f 72 65 20 74 68 61 6e 20 Data Ascii: rn o}}),Y(e,"pageVisitTimeTrackingHandler",{g:function(){return c}})})}var Ed=function(e,t){this[ld]=Ot(),this.pageName=e,this.pageUrl=t},_d=function(a,e){var o=this,c={};o.start=function(e){"undefined"!=typeof c[e]&&me(a,2,62,"start was called more than
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 61 67 73 3d 6d 73 28 21 30 2c 6e 2e 5f 70 61 67 65 54 61 67 73 2c 74 2e 70 61 67 65 54 61 67 73 29 29 2c 65 2e 70 72 6f 70 65 72 74 69 65 73 3d 65 2e 70 72 6f 70 65 72 74 69 65 73 7c 7c 7b 7d 2c 65 2e 70 72 6f 70 65 72 74 69 65 73 2e 70 61 67 65 54 61 67 73 3d 6e 2e 5f 70 61 67 65 54 61 67 73 7d 2c 65 70 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 67 65 74 42 65 68 61 76 69 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3b 72 65 74 75 72 6e 20 65 26 26 63 65 28 65 2e 62 65 68 61 76 69 6f 72 29 3f 74 3d 65 2e 62 65 68 61 76 69 6f 72 3a 63 65 28 74 68 69 73 2e 5f 62 65 68 61 76 69 6f 72 4d 65 74 61 54 61 67 29 26 26 28 74 3d 74 68 69 73 2e 5f 62 65 68 61 76 69 6f 72 4d 65 74 61 54 61 67 29 2c 74 68 69 73 2e 5f 67 65 74 56 61 6c 69 64 42 65 68 61 76 69 Data Ascii: ags=ms(!0,n._pageTags,t.pageTags)),e.properties=e.properties\|\|{},e.properties.pageTags=n._pageTags},ep.prototype._getBehavior=function(e){var t;return e&&ce(e.behavior)?t=e.behavior:ce(this._behaviorMetaTag)&&(t=this._behaviorMetaTag),this._getValidBehavi
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 6d 65 73 2e 63 6f 6e 74 65 6e 74 4e 61 6d 65 29 3b 72 26 26 28 61 5b 74 5d 3d 72 29 2c 69 26 26 28 61 5b 6e 5d 3d 69 29 7d 72 65 74 75 72 6e 20 61 7d 2c 53 70 29 3b 66 75 6e 63 74 69 6f 6e 20 53 70 28 65 2c 74 29 7b 74 68 69 73 2e 5f 63 6f 6e 66 69 67 3d 65 2c 74 68 69 73 2e 5f 74 72 61 63 65 4c 6f 67 67 65 72 3d 74 2c 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 42 6c 6f 62 46 69 65 6c 64 4e 61 6d 65 73 3d 6e 75 6c 6c 2c 74 68 69 73 2e 5f 63 6f 6e 74 65 6e 74 42 6c 6f 62 46 69 65 6c 64 4e 61 6d 65 73 3d 21 30 3d 3d 3d 74 68 69 73 2e 5f 63 6f 6e 66 69 67 2e 75 73 65 53 68 6f 72 74 4e 61 6d 65 46 6f 72 43 6f 6e 74 65 6e 74 42 6c 6f 62 3f 54 70 2e 73 68 6f 72 74 4e 61 6d 65 73 3a 54 70 2e 6c 6f 6e 67 4e 61 6d 65 73 7d 76 61 72 20 78 70 2c 4e 70 3d 48 65 28 7b 75 Data Ascii: mes.contentName);r&&(a[t]=r),i&&(a[n]=i)}return a},Sp);function Sp(e,t){this._config=e,this._traceLogger=t,this._contentBlobFieldNames=null,this._contentBlobFieldNames=!0===this._config.useShortNameForContentBlob?Tp.shortNames:Tp.longNames}var xp,Np=He({u
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 67 3d 22 73 65 6e 64 54 79 70 65 22 2c 4b 67 3d 22 61 64 64 48 65 61 64 65 72 22 2c 47 67 3d 22 63 61 6e 53 65 6e 64 52 65 71 75 65 73 74 22 2c 58 67 3d 22 73 65 6e 64 51 75 65 75 65 64 52 65 71 75 65 73 74 73 22 2c 4a 67 3d 22 69 73 43 6f 6d 70 6c 65 74 65 6c 79 49 64 6c 65 22 2c 51 67 3d 22 73 65 74 55 6e 6c 6f 61 64 69 6e 67 22 2c 59 67 3d 22 73 65 6e 64 53 79 6e 63 68 72 6f 6e 6f 75 73 42 61 74 63 68 22 2c 24 67 3d 22 5f 74 72 61 6e 73 70 6f 72 74 22 2c 5a 67 3d 22 67 65 74 57 50 61 72 61 6d 22 2c 65 76 3d 22 69 73 42 65 61 63 6f 6e 22 2c 74 76 3d 22 74 69 6d 69 6e 67 73 22 2c 6e 76 3d 22 69 73 54 65 61 72 64 6f 77 6e 22 2c 72 76 3d 22 69 73 53 79 6e 63 22 2c 69 76 3d 22 64 61 74 61 22 2c 61 76 3d 22 5f 73 65 6e 64 52 65 61 73 6f 6e 22 2c 6f 76 3d 22 Data Ascii: g="sendType",Kg="addHeader",Gg="canSendRequest",Xg="sendQueuedRequests",Jg="isCompletelyIdle",Qg="setUnloading",Yg="sendSynchronousBatch",$g="_transport",Zg="getWParam",ev="isBeacon",tv="timings",nv="isTeardown",rv="isSync",iv="data",av="_sendReason",ov="
2024-07-25 07:47:56 UTC	16384	IN	Data Raw: 28 29 7b 72 65 3d 21 31 2c 61 65 3d 21 28 69 65 3d 5b 5d 29 2c 52 3d 31 65 34 2c 75 65 3d 7b 7d 2c 73 65 3d 59 70 2c 65 65 3d 21 28 46 3d 7b 7d 29 2c 71 3d 42 3d 56 3d 55 3d 63 65 3d 6f 65 3d 30 2c 7a 3d 2d 31 2c 4b 3d 21 28 57 3d 21 28 6a 3d 4c 3d 4d 3d 50 3d 6b 3d 6e 75 6c 6c 29 29 2c 47 3d 36 2c 74 65 3d 4a 3d 6e 75 6c 6c 2c 6e 65 3d 21 28 58 3d 32 29 2c 51 3d 50 76 28 29 2c 48 3d 6e 65 77 20 42 76 28 4f 3d 35 30 30 2c 32 2c 31 2c 7b 72 65 71 75 65 75 65 3a 65 2c 73 65 6e 64 3a 53 2c 73 65 6e 74 3a 78 2c 64 72 6f 70 3a 4e 2c 72 73 70 46 61 69 6c 3a 44 2c 6f 74 68 3a 41 7d 29 2c 74 28 29 2c 46 5b 34 5d 3d 7b 62 61 74 63 68 65 73 3a 5b 5d 2c 69 4b 65 79 4d 61 70 3a 7b 7d 7d 2c 46 5b 33 5d 3d 7b 62 61 74 63 68 65 73 3a 5b 5d 2c 69 4b 65 79 4d 61 70 3a 7b Data Ascii: (){re=!1,ae=!(ie=[]),R=1e4,ue={},se=Yp,ee=!(F={}),q=B=V=U=ce=oe=0,z=-1,K=!(W=!(j=L=M=P=k=null)),G=6,te=J=null,ne=!(X=2),Q=Pv(),H=new Bv(O=500,2,1,{requeue:e,send:S,sent:x,drop:N,rspFail:D,oth:A}),t(),F[4]={batches:[],iKeyMap:{}},F[3]={batches:[],iKeyMap:{

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:47:57 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-25 07:47:57 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=30117 Date: Thu, 25 Jul 2024 07:47:57 GMT Content-Length: 55 Connection: close X-CID: 2
2024-07-25 07:47:57 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:48:02 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3FgPvgo5hwHzvrg&MD=TArSOtKe HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-25 07:48:02 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: c4fca711-93f5-43d6-8e2f-86ac24331bd8 MS-RequestId: db48bc4a-9347-43c9-8dbc-cd4f69fa700f MS-CV: dL4sqJFhak6tWW45.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Jul 2024 07:48:02 GMT Connection: close Content-Length: 24490
2024-07-25 07:48:02 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-25 07:48:02 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:48:40 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3FgPvgo5hwHzvrg&MD=TArSOtKe HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-25 07:48:40 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: b861d6b6-eb7f-47c4-af0d-7a118f1f7607 MS-RequestId: 522fd455-32be-4b7c-b77a-5d4d555a25c9 MS-CV: tKs1MwM6oUOjaagP.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Jul 2024 07:48:39 GMT Connection: close Content-Length: 30005
2024-07-25 07:48:40 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-25 07:48:40 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	03:47:41
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002C_142.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002C_142.exe"
Imagebase:	0x20000
File size:	112'128 bytes
MD5 hash:	01DA9EA1CC55C02A1755B20A4EC69F05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1379310040.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	03:47:47
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	03:47:48
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1904,i,3045040594546194306,8046493471930814901,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	03:47:57
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LisectAVT_2403002C_142.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	03:47:58
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,6999489819283979014,13540749176578719827,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002C_142.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Windows Analysis Report
LisectAVT_2403002C_142.exe

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre