Edit tour

Windows Analysis Report
17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Overview

General Information

Sample name:	17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe
Analysis ID:	1578603
MD5:	072a26b0404336b233fa92eda9969757
SHA1:	ece49ed6d716c6c147231b35fe4fddd476d1bfdc
SHA256:	bf8f26dff443e2d58b8da516c8668fb350f809e28c61d546c1c0e7fe8d3d0829
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

Njrat

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Njrat

AI detected suspicious sample

Machine Learning detection for sample

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

PE file does not import any functions

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe (PID: 5620 cmdline: "C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe" MD5: 072A26B0404336B233FA92EDA9969757)

chrome.exe (PID: 2776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2084,i,2808867783359981459,11530441514433520162,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1928,i,5265947663293489236,13079961179039997429,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "Adminnjdic.casacam.net", "Port": "1520", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "6c22d3c2fb"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1421078068.0000000000492000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe PID: 5620	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe.490000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_88.5.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_88.5.dr, chromecache_124.5.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://aka.ms/msignite_docs_banner
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_88.5.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_88.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_88.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_88.5.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_88.5.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_104.5.dr	String found in binary or memory: https://schema.org
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
Source: chromecache_104.5.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
Source: chromecache_123.5.dr, chromecache_104.5.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1421078068.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe PID: 5620, type: MEMORYSTR

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe, 00000000.00000000.1421096208.0000000000498000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenj.exe4 vs 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe
Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Binary or memory string: OriginalFilenamenj.exe4 vs 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.winEXE@24/67@6/3

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe "C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe"
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2084,i,2808867783359981459,11530441514433520162,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1928,i,5265947663293489236,13079961179039997429,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2084,i,2808867783359981459,11530441514433520162,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1928,i,5265947663293489236,13079961179039997429,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe, 00000000.00000002.1508103101.000000000097D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1421078068.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe PID: 5620, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1421078068.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe PID: 5620, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	50%	ReversingLabs	Win32.Backdoor.njRAT
17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
www.google.com	142.250.181.132	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
js.monitor.azure.com	unknown	unknown	false	high
mdec.nelreports.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_88.5.dr	false	high
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_88.5.dr	false	high
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_88.5.dr	false	high
https://client-api.arkoselabs.com/v2/api.js	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/Thraka	chromecache_88.5.dr	false	high
http://polymer.github.io/PATENTS.txt	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://aka.ms/certhelp	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_88.5.dr	false	high
https://www.linkedin.com/cws/share?url=$	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/mairaw	chromecache_88.5.dr	false	high
https://schema.org	chromecache_104.5.dr	false	high
http://polymer.github.io/LICENSE.txt	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/Youssef1313	chromecache_88.5.dr	false	high
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://aka.ms/msignite_docs_banner	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9	chromecache_104.5.dr	false	high
http://polymer.github.io/AUTHORS.txt	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://aka.ms/yourcaliforniaprivacychoices	chromecache_88.5.dr	false	high
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	chromecache_88.5.dr	false	high
https://github.com/nschonni	chromecache_88.5.dr	false	high
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/adegeo	chromecache_88.5.dr	false	high
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_88.5.dr	false	high
https://aka.ms/pshelpmechoose	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://aka.ms/feedback/report?space=61	chromecache_88.5.dr, chromecache_124.5.dr	false	high
https://github.com/jonschlinkert/is-plain-object	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://octokit.github.io/rest.js/#throttling	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/js-cookie/js-cookie	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://learn-video.azurefd.net/vod/player	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://twitter.com/intent/tweet?original_referer=$	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/gewarren	chromecache_88.5.dr	false	high
http://schema.org/Organization	chromecache_88.5.dr	false	high
http://polymer.github.io/CONTRIBUTORS.txt	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://channel9.msdn.com/	chromecache_123.5.dr, chromecache_104.5.dr	false	high
https://github.com/dotnet/try	chromecache_123.5.dr, chromecache_104.5.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.132	www.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false

Private

IP
192.168.2.9

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578603
Start date and time:	2024-12-19 23:28:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe
Detection:	MAL
Classification:	mal72.troj.winEXE@24/67@6/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.99, 92.122.18.57, 64.233.162.84, 172.217.17.78, 92.122.18.2, 172.217.17.46, 23.32.238.18, 142.250.181.42, 142.250.181.106, 216.58.208.234, 172.217.19.234, 172.217.17.42, 142.250.181.74, 172.217.17.74, 172.217.19.170, 142.250.181.138, 172.217.19.202, 23.32.239.25, 23.32.239.82, 192.229.221.95, 172.217.17.35, 199.232.210.172, 172.217.19.206, 92.122.16.236, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, clientservices.googleapis.com, learn.microsoft.com, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, star-azurefd-prod.trafficmanager.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, update.googleapis.com, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, edgedl.me.gvt1.com, e13636.dscb.akamaiedge.net, learn-public.trafficmanager.net, go.microsoft.com.edgekey.net, clients.l.google.com, wcpstatic.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Input	Output
URL: https://microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://microsoft.com
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319. Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "Yes", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319. Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319. Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319. Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	1734647108c2d815e9b224b58a4453e937ebbee326356eaa9618758f1ee8f3e412a78fcc82730.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse
	ghostspider.7z	Get hash	malicious	Unknown	Browse
	https://www.canva.com/design/DAGZxEJMIA0/pFi0b1a1Y78oAGDuII8Hjg/view?utm_content=DAGZxEJMIA0&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hdcdec8ed4a	Get hash	malicious	HTMLPhisher	Browse
	https://gateway.lighthouse.storage/ipfs/bafkreigjxudfsi54f5pliswxztgujxgpdhe4uyrezdbg5avbtrclxrxc6i	Get hash	malicious	HTMLPhisher	Browse
	https://mdgouv.com	Get hash	malicious	HTMLPhisher	Browse
	https://kubota.highq.com/kubota/sitecontroller.action?metaData.siteID=7&metaData.parentFolderID=74	Get hash	malicious	Unknown	Browse
	https://kubota.highq.com/kubota/externalAccess.action?linkParam=248Md4JKaxiIU4vwlQaNq5FLgPVNq03doY6pcXaLJD4%3D&documentDownload=link	Get hash	malicious	Unknown	Browse
	https://kubota.highq.com/kubota/viewUserProfile.action?metaData.encryptTargetUserID=D1l4_GI3rHw=&metaData.updateUserProfileProcess=true	Get hash	malicious	Unknown	Browse
	https://track.samsupport.jmsend.com/z.z?l=aHR0cHM6Ly9zYW1zdXBwb3J0cy1jb20uam1haWxyb3V0ZS5uZXQveC91P3U9ZWJlNTI4YmMtYTNjMS00NjI0LWFmZjEtYzcwNDJmMjczZWIw&r=14771356625&d=20437066&p=1&t=h&h=40dfe9be3647ce867f619b07dd91c655	Get hash	malicious	Unknown	Browse
	https://launch.app/prolandtitle	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exe	Get hash	malicious	XWorm	Browse	13.107.246.63
	1734647108c2d815e9b224b58a4453e937ebbee326356eaa9618758f1ee8f3e412a78fcc82730.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe	Get hash	malicious	Quasar	Browse	13.107.246.63
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	13.107.246.63
	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	13.107.246.63
	dz6dQWx0DD.dll	Get hash	malicious	Nitol	Browse	13.107.246.63
	Eallentoff_401k_1484013830.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	INVOICE-0098.pdf ... .lnk.lnk.d.lnk	Get hash	malicious	Unknown	Browse	13.107.246.63

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 21:29:54 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9836855175009447
Encrypted:	false
SSDEEP:	48:8yEdTWT4XHnH2idAKZdA1P4ehwiZUklqehey+3:8ycWEXHEOxy
MD5:	60802FF89E29C695012A58ECAC52BC0B
SHA1:	F6D59C600D6900BA21F3BF2B9F159A12ED325DEC
SHA-256:	897000BF8779EB92C554757AD6AD8376DCC536E1AB72EEF6D478070085D9C86C
SHA-512:	827E8CB60A33F0A0E7AE977F63ADB54FC49B90DA89D3B853AD072EE34DB070C13D2133747DEEDCE1089F1EA64219BFE12CF6D24F7E6BA3D7344A28EF1BFF7BA6
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....a...eR....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.Y......B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.Y......M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.Y...............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.Y.............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(..=.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.841469904409379
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe
File size:	33'050 bytes
MD5:	072a26b0404336b233fa92eda9969757
SHA1:	ece49ed6d716c6c147231b35fe4fddd476d1bfdc
SHA256:	bf8f26dff443e2d58b8da516c8668fb350f809e28c61d546c1c0e7fe8d3d0829
SHA512:	09ee78eb39bdfd63bafaa7985b383e6d194033fae92ad532b0765767de50761a1477c47e7b62b624bce192a27b4b5a0283f98eea2d3a7ca2cecccf580b83f097
SSDEEP:	384:48EW+4HU36e6ISbt27F/JfGWT6tTUFCqzF6ObbC:CW3036527QIbC
TLSH:	5EE2194A6BA85216C2AC5AFC8CB303114772E2478472EB5F9CDC88CA4B776D03595FED
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xg.................P... ......^g... ........@.. ....................................@................................

Entrypoint:	0x40675e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675895D9 [Tue Dec 10 19:26:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6710	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x290	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4764	0x5000	b16009a28128d098dd9d17a0d9e6d716	False	0.48046875	data	5.380676075255724	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x290	0x1000	f2681272b0e074508193c2d042bd482a	False	0.07666015625	data	0.6583573461747256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x1000	f0a40eda646e7acf8d694ed252289cc7	False	0.0107421875	data	0.012638662471219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 23:29:40.865930080 CET	49673	443	192.168.2.9	204.79.197.203
Dec 19, 2024 23:29:49.225461960 CET	49676	443	192.168.2.9	23.206.229.209
Dec 19, 2024 23:29:49.228815079 CET	49675	443	192.168.2.9	23.206.229.209
Dec 19, 2024 23:29:49.272182941 CET	49677	443	192.168.2.9	20.189.173.11
Dec 19, 2024 23:29:49.459671021 CET	49674	443	192.168.2.9	23.206.229.209
Dec 19, 2024 23:29:51.936721087 CET	443	49704	23.206.229.209	192.168.2.9
Dec 19, 2024 23:29:51.936876059 CET	49704	443	192.168.2.9	23.206.229.209
Dec 19, 2024 23:29:57.040558100 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:57.040602922 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:57.040676117 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:57.041007996 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:57.041023016 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:58.741761923 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:58.794009924 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:58.794025898 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:58.795361042 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:58.795375109 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:58.795418024 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:58.803497076 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:58.803664923 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:58.898947001 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:29:58.898972034 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:29:59.110379934 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:08.457824945 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:08.457905054 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:08.458724976 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:08.537724018 CET	49719	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:08.537756920 CET	443	49719	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:56.963143110 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:56.963202000 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:56.963299036 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:56.963530064 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:56.963543892 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:58.658487082 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:58.658782959 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:58.658795118 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:58.659146070 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:58.659447908 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:30:58.659523010 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:30:58.712390900 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:31:08.443653107 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:31:08.443739891 CET	443	49778	142.250.181.132	192.168.2.9
Dec 19, 2024 23:31:08.443835974 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:31:08.917315960 CET	49778	443	192.168.2.9	142.250.181.132
Dec 19, 2024 23:31:08.917352915 CET	443	49778	142.250.181.132	192.168.2.9

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 23:29:52.751377106 CET	53	59465	1.1.1.1	192.168.2.9
Dec 19, 2024 23:29:52.776220083 CET	53	61429	1.1.1.1	192.168.2.9
Dec 19, 2024 23:29:55.484868050 CET	53	55798	1.1.1.1	192.168.2.9
Dec 19, 2024 23:29:56.902257919 CET	60151	53	192.168.2.9	1.1.1.1
Dec 19, 2024 23:29:56.902457952 CET	56178	53	192.168.2.9	1.1.1.1
Dec 19, 2024 23:29:57.039230108 CET	53	60151	1.1.1.1	192.168.2.9
Dec 19, 2024 23:29:57.039249897 CET	53	56178	1.1.1.1	192.168.2.9
Dec 19, 2024 23:29:59.195641041 CET	64203	53	192.168.2.9	1.1.1.1
Dec 19, 2024 23:29:59.195791006 CET	53890	53	192.168.2.9	1.1.1.1
Dec 19, 2024 23:30:07.551079035 CET	53	53297	1.1.1.1	192.168.2.9
Dec 19, 2024 23:30:09.509114027 CET	52789	53	192.168.2.9	1.1.1.1
Dec 19, 2024 23:30:09.509332895 CET	62502	53	192.168.2.9	1.1.1.1
Dec 19, 2024 23:30:12.507883072 CET	53	52626	1.1.1.1	192.168.2.9
Dec 19, 2024 23:30:29.749607086 CET	138	138	192.168.2.9	192.168.2.255
Dec 19, 2024 23:30:31.367007971 CET	53	62207	1.1.1.1	192.168.2.9
Dec 19, 2024 23:30:52.269032001 CET	53	49609	1.1.1.1	192.168.2.9
Dec 19, 2024 23:30:54.071337938 CET	53	51379	1.1.1.1	192.168.2.9
Dec 19, 2024 23:31:24.586431026 CET	53	56476	1.1.1.1	192.168.2.9

Timestamp	Bytes transferred	Direction	Data
2024-12-19 22:30:01 UTC	549	OUT	GET /scripts/c/ms.jsll-4.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-19 22:30:01 UTC	896	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 22:30:01 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 207935 Connection: close Vary: Accept-Encoding Cache-Control: no-transform, public, max-age=1800, immutable Last-Modified: Mon, 14 Oct 2024 17:27:31 GMT ETag: 0x8DCEC757C1AD1D1 x-ms-request-id: 17764986-301e-00bb-42c8-4b7a7d000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 4.3.3 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-4.3.3.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20241219T223001Z-156796c549b962xshC1EWRx3hc0000000m5g000000003knk x-fd-int-roxy-purgeid: 0 X-Cache-Info: L2_T2 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2024-12-19 22:30:01 UTC	15488	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 34 2e 33 2e 33 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 Data Ascii: /! 1DS JSLL SKU, 4.3.3 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&defi
2024-12-19 22:30:01 UTC	16384	IN	Data Raw: 22 2b 74 5d 29 3f 6e 28 69 29 3a 28 72 3d 66 65 28 22 63 6f 6e 73 6f 6c 65 22 29 29 26 26 28 72 2e 65 72 72 6f 72 7c 7c 72 2e 6c 6f 67 29 28 74 2c 63 65 28 69 29 29 29 29 7d 53 65 28 61 3d 7b 74 68 65 6e 3a 6f 2c 22 63 61 74 63 68 22 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 6f 28 75 6e 64 65 66 69 6e 65 64 2c 65 29 7d 2c 22 66 69 6e 61 6c 6c 79 22 3a 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 2c 6e 3d 74 3b 72 65 74 75 72 6e 20 51 28 74 29 26 26 28 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 26 26 74 28 29 2c 65 7d 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 74 26 26 74 28 29 2c 65 7d 29 2c 6f 28 65 2c 6e 29 7d 7d 2c 22 73 74 61 74 65 22 2c 7b 67 65 74 3a 64 7d 29 2c 68 74 28 29 26 Data Ascii: "+t])?n(i):(r=fe("console"))&&(r.error\|\|r.log)(t,ce(i))))}Se(a={then:o,"catch":function(e){return o(undefined,e)},"finally":function(t){var e=t,n=t;return Q(t)&&(e=function(e){return t&&t(),e},n=function(e){throw t&&t(),e}),o(e,n)}},"state",{get:d}),ht()&
2024-12-19 22:30:01 UTC	16384	IN	Data Raw: 74 69 6f 6e 20 67 63 28 65 2c 74 2c 6e 2c 72 29 7b 67 65 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 26 26 65 5b 74 5d 26 26 28 6e 3f 28 6e 2e 63 62 5b 74 65 5d 28 7b 66 6e 3a 72 2c 61 72 67 3a 65 7d 29 2c 6e 2e 68 3d 6e 2e 68 7c 7c 6e 6e 28 70 63 2c 30 2c 6e 29 29 3a 4d 28 72 2c 5b 65 5d 29 29 7d 29 7d 68 63 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 76 63 3d 68 63 3b 66 75 6e 63 74 69 6f 6e 20 68 63 28 65 29 7b 74 68 69 73 2e 6c 69 73 74 65 6e 65 72 73 3d 5b 5d 3b 76 61 72 20 6e 2c 69 3d 5b 5d 2c 61 3d 7b 68 3a 6e 75 6c 6c 2c 63 62 3a 5b 5d 7d 2c 6f 3d 76 6f 28 65 2c 64 63 29 5b 4b 6e 5d 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 3d 21 21 65 2e 63 66 67 2e 70 65 72 66 45 76 74 73 53 65 6e 64 41 6c 6c 7d 29 3b 76 65 28 68 63 2c 74 68 69 73 2c 66 75 Data Ascii: tion gc(e,t,n,r){ge(e,function(e){e&&e[t]&&(n?(n.cb[te]({fn:r,arg:e}),n.h=n.h\|\|nn(pc,0,n)):M(r,[e]))})}hc.__ieDyn=1;var vc=hc;function hc(e){this.listeners=[];var n,i=[],a={h:null,cb:[]},o=vo(e,dc)[Kn](function(e){n=!!e.cfg.perfEvtsSendAll});ve(hc,this,fu

Target ID:	0
Start time:	17:29:44
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe"
Imagebase:	0x490000
File size:	33'050 bytes
MD5 hash:	072A26B0404336B233FA92EDA9969757
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1421078068.0000000000492000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	17:29:50
Start date:	19/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	17:29:51
Start date:	19/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2084,i,2808867783359981459,11530441514433520162,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	17:29:53
Start date:	19/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

E-Banking Fraud

System Summary

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 109

Windows Analysis Report
17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre