Windows Analysis Report
WAXD480.exe

Overview

General Information

Sample name:	WAXD480.exe (renamed file extension from tmp to exe)
Original sample name:	WAXD480.tmp
Analysis ID:	1430820
MD5:	7f1ffc9be9757477a8a39cb06d5032c8
SHA1:	31a174cb6a0d6b4f59529235d8efdb5bf5cca94a
SHA256:	f9a43eaa4e4ba619d3470762e5cd4226ad707f59bd89d892584df2771089ef3d
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file does not import any functions

Uses 32bit PE files

Classification

Signatures

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Uses 32bit PE files

Source: WAXD480.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49835 version: TLS 1.2

Source: WAXD480.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 63.140.37.206 63.140.37.206
Source: Joe Sandbox View	IP Address: 13.107.213.69 13.107.213.69
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 63.140.36.51 63.140.36.51

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=0791c829041c4c068b787022a66647a2&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE; MSCC=NR; at_check=true; mbox=session#0791c829041c4c068b787022a66647a2#1713944149\|PC#0791c829041c4c068b787022a66647a2.35_0#1748122289
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gztnYs+RTGfK+AB&MD=PdPVE7VN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=0791c829041c4c068b787022a66647a2&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE; MSCC=NR; at_check=true; mbox=session#0791c829041c4c068b787022a66647a2#1713944151\|PC#0791c829041c4c068b787022a66647a2.35_0#1748122289; MS0=1e372c3aab014af7b628c367b32124df
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gztnYs+RTGfK+AB&MD=PdPVE7VN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_94.3.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(e)}&text=${encodeURIComponent(dS.replace("{credentialName}",t.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_94.3.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_94.3.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_94.3.dr	String found in binary or memory: </div>`;w(e,t)}}function kA(t){x.documentElement.classList.add("api-search-has-results");for(let{container:e}of vy)e.textContent=t}function Xne(){x.documentElement.classList.remove("api-search-has-results");for(let{container:t}of vy)t.innerHTML=""}function iEe(t,e){let o=dt(),n,r;if(o==="")n=_r[Rt].displayName,r=null;else{let a=e.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=x.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=m`${EA.resultsHeadingTemplate.replace("{platformName}",n)}`;if(w(i,s),r!==null&&Rt==="rest"){let a=m`${ee(`${Oe(o)} REST ${EA.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;w(a,s)}else if(r!==null){let a=m`${ee(`${EA.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Oe(r)}</span>`)}`;w(a,s)}t.appendChild(s)}function o1(t,e){if(e!==""&&!/[?&]view=/i.test(t)){let[n,r]=t.split("#");r=r===void 0?"":"#"+r,t=Rt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(e)}${r}`}let o=new URL(t,location.origin);return t=`${o.pathname}${o.search}${o.hash}`,Rt!=="rest"&&(t=`/${_.data.userLocale}${t}`),t}var fm="api-search-term-changed",Ch="";function gm(){return Ch}function n1(t){t=t.trim(),t!==Ch&&(Ch=t,_.data.pageTemplate==="ApiBrowserPage"&&Mt({term:Ch},"pushState"),window.dispatchEvent(new CustomEvent(fm,{detail:{term:Ch}})))}function Zne(){let t=oe().term;return t===void 0?"":t.trim()}_.data.pageTemplate==="ApiBrowserPage"&&(Ch=Zne(),window.addEventListener("popstate",()=>n1(Zne())));function ere(){q.addEventListener(fm,r1),q.addEventListener(Mr,r1),_.data.pageTemplate==="ApiBrowserPage"&&r1()}var AA="";function r1(){let t=gm(),e=dt(),o=`${t}/${e}`;return o===AA?Promise.resolve():(AA=o,_.data.pageTemplate==="ApiBrowserPage"&&e!==""&&t===""?(t1(),Promise.all([Wne(Rt,e,_.data.userLocale),il()]).then(([n,r])=>{if(o===AA){if(n.apiItems.length===0){kA(Xo);return}CA(r,n.apiItems,null)}},()=>{kA(TP)})):t.length<3?(Xne(),Promise.resolve()):_r[Rt].validSearchTerm.test(t)?(t1(),Promise.all([wA(Rt,e,t,_.data.userLocale),il()]).then(([n,r])=>{o===AA&&(s1(e,t,n.results.length),CA(r,n.results,n["@nextLink"]))},()=>{kA(TP)})):il().then(n=>CA(n,[],null)))}function s1(t,e,o){Ge({actionType:He.OTHER,behavior:Ee.SEARCH,content:{event:"api-browser-search",platform:Rt,moniker:t,term:e,results:o}})}var tre="api-search-field";function ore(){let t=x.createElement("form");t.classList.add(tre,"margin-top-xxs"),t.setAttribute(To.name,tre),t.action="javascript:",t.addEventListener("submit",l=>l.preventDefault());let e=x.createElement("label"),o=x.createElement("span");o.classList.add("visually-hidden"),o.textContent=mo,e.appendChild(o),t.appendChild(e);let n=x.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=gm(),n.placeholder=mo,e.appendChild(n);let r=x.createElement("a");r.href="#",r.title=_2,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(
Source: chromecache_94.3.dr	String found in binary or memory: </div>`;w(e,t)}}function kA(t){x.documentElement.classList.add("api-search-has-results");for(let{container:e}of vy)e.textContent=t}function Xne(){x.documentElement.classList.remove("api-search-has-results");for(let{container:t}of vy)t.innerHTML=""}function iEe(t,e){let o=dt(),n,r;if(o==="")n=_r[Rt].displayName,r=null;else{let a=e.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=x.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=m`${EA.resultsHeadingTemplate.replace("{platformName}",n)}`;if(w(i,s),r!==null&&Rt==="rest"){let a=m`${ee(`${Oe(o)} REST ${EA.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;w(a,s)}else if(r!==null){let a=m`${ee(`${EA.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Oe(r)}</span>`)}`;w(a,s)}t.appendChild(s)}function o1(t,e){if(e!==""&&!/[?&]view=/i.test(t)){let[n,r]=t.split("#");r=r===void 0?"":"#"+r,t=Rt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(e)}${r}`}let o=new URL(t,location.origin);return t=`${o.pathname}${o.search}${o.hash}`,Rt!=="rest"&&(t=`/${_.data.userLocale}${t}`),t}var fm="api-search-term-changed",Ch="";function gm(){return Ch}function n1(t){t=t.trim(),t!==Ch&&(Ch=t,_.data.pageTemplate==="ApiBrowserPage"&&Mt({term:Ch},"pushState"),window.dispatchEvent(new CustomEvent(fm,{detail:{term:Ch}})))}function Zne(){let t=oe().term;return t===void 0?"":t.trim()}_.data.pageTemplate==="ApiBrowserPage"&&(Ch=Zne(),window.addEventListener("popstate",()=>n1(Zne())));function ere(){q.addEventListener(fm,r1),q.addEventListener(Mr,r1),_.data.pageTemplate==="ApiBrowserPage"&&r1()}var AA="";function r1(){let t=gm(),e=dt(),o=`${t}/${e}`;return o===AA?Promise.resolve():(AA=o,_.data.pageTemplate==="ApiBrowserPage"&&e!==""&&t===""?(t1(),Promise.all([Wne(Rt,e,_.data.userLocale),il()]).then(([n,r])=>{if(o===AA){if(n.apiItems.length===0){kA(Xo);return}CA(r,n.apiItems,null)}},()=>{kA(TP)})):t.length<3?(Xne(),Promise.resolve()):_r[Rt].validSearchTerm.test(t)?(t1(),Promise.all([wA(Rt,e,t,_.data.userLocale),il()]).then(([n,r])=>{o===AA&&(s1(e,t,n.results.length),CA(r,n.results,n["@nextLink"]))},()=>{kA(TP)})):il().then(n=>CA(n,[],null)))}function s1(t,e,o){Ge({actionType:He.OTHER,behavior:Ee.SEARCH,content:{event:"api-browser-search",platform:Rt,moniker:t,term:e,results:o}})}var tre="api-search-field";function ore(){let t=x.createElement("form");t.classList.add(tre,"margin-top-xxs"),t.setAttribute(To.name,tre),t.action="javascript:",t.addEventListener("submit",l=>l.preventDefault());let e=x.createElement("label"),o=x.createElement("span");o.classList.add("visually-hidden"),o.textContent=mo,e.appendChild(o),t.appendChild(e);let n=x.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=gm(),n.placeholder=mo,e.appendChild(n);let r=x.createElement("a");r.href="#",r.title=_2,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(
Source: chromecache_94.3.dr	String found in binary or memory: </div>`;w(e,t)}}function kA(t){x.documentElement.classList.add("api-search-has-results");for(let{container:e}of vy)e.textContent=t}function Xne(){x.documentElement.classList.remove("api-search-has-results");for(let{container:t}of vy)t.innerHTML=""}function iEe(t,e){let o=dt(),n,r;if(o==="")n=_r[Rt].displayName,r=null;else{let a=e.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=x.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=m`${EA.resultsHeadingTemplate.replace("{platformName}",n)}`;if(w(i,s),r!==null&&Rt==="rest"){let a=m`${ee(`${Oe(o)} REST ${EA.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;w(a,s)}else if(r!==null){let a=m`${ee(`${EA.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Oe(r)}</span>`)}`;w(a,s)}t.appendChild(s)}function o1(t,e){if(e!==""&&!/[?&]view=/i.test(t)){let[n,r]=t.split("#");r=r===void 0?"":"#"+r,t=Rt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(e)}${r}`}let o=new URL(t,location.origin);return t=`${o.pathname}${o.search}${o.hash}`,Rt!=="rest"&&(t=`/${_.data.userLocale}${t}`),t}var fm="api-search-term-changed",Ch="";function gm(){return Ch}function n1(t){t=t.trim(),t!==Ch&&(Ch=t,_.data.pageTemplate==="ApiBrowserPage"&&Mt({term:Ch},"pushState"),window.dispatchEvent(new CustomEvent(fm,{detail:{term:Ch}})))}function Zne(){let t=oe().term;return t===void 0?"":t.trim()}_.data.pageTemplate==="ApiBrowserPage"&&(Ch=Zne(),window.addEventListener("popstate",()=>n1(Zne())));function ere(){q.addEventListener(fm,r1),q.addEventListener(Mr,r1),_.data.pageTemplate==="ApiBrowserPage"&&r1()}var AA="";function r1(){let t=gm(),e=dt(),o=`${t}/${e}`;return o===AA?Promise.resolve():(AA=o,_.data.pageTemplate==="ApiBrowserPage"&&e!==""&&t===""?(t1(),Promise.all([Wne(Rt,e,_.data.userLocale),il()]).then(([n,r])=>{if(o===AA){if(n.apiItems.length===0){kA(Xo);return}CA(r,n.apiItems,null)}},()=>{kA(TP)})):t.length<3?(Xne(),Promise.resolve()):_r[Rt].validSearchTerm.test(t)?(t1(),Promise.all([wA(Rt,e,t,_.data.userLocale),il()]).then(([n,r])=>{o===AA&&(s1(e,t,n.results.length),CA(r,n.results,n["@nextLink"]))},()=>{kA(TP)})):il().then(n=>CA(n,[],null)))}function s1(t,e,o){Ge({actionType:He.OTHER,behavior:Ee.SEARCH,content:{event:"api-browser-search",platform:Rt,moniker:t,term:e,results:o}})}var tre="api-search-field";function ore(){let t=x.createElement("form");t.classList.add(tre,"margin-top-xxs"),t.setAttribute(To.name,tre),t.action="javascript:",t.addEventListener("submit",l=>l.preventDefault());let e=x.createElement("label"),o=x.createElement("span");o.classList.add("visually-hidden"),o.textContent=mo,e.appendChild(o),t.appendChild(e);let n=x.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=gm(),n.placeholder=mo,e.appendChild(n);let r=x.createElement("a");r.href="#",r.title=_2,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(
Source: chromecache_94.3.dr	String found in binary or memory: </div>`}function gCe(t){return t.authenticationModes?t.authenticationModes.map(e=>e.type).includes("MSA"):!1}function hCe(t){let e=t.authenticationModes.find(o=>o.type==="MSA");return e?e.upn:null}function bCe(t){let e=t.authenticationModes.find(o=>o.type==="AAD");return e?e.upn:null}function _Ce(t,e,o){return e??(Qt(t.email)?o:t.email)??""}function $re(t){let e=gCe(t),o=e?hCe(t):null,n=e?null:bCe(t),r=_Ce(t,o,n);return[e,r]}function vCe(t,e){let[o,n]=$re(e);if(o){let i=t.querySelector("#report-msa-email-account");i.innerText=n}let r=t.querySelector("#opt-into-email-checkbox"),s=t.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function yCe(t){if(!t)return;let e=t.querySelector("#select-reason"),o=t.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!e\|\|!o\|\|!n\|\|(e.value==="Other"&&(o.hidden=!1,n.required=!0),e.addEventListener("change",()=>{e.value==="Other"\|\|e.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var oo;function Nre(){let t=document.getElementById("share-to-linkedin-profile");t&&t.addEventListener("click",e=>{let o=e.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=xCe(n);w(s,r),oo=new Se(r),oo.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function xCe(t){let e=encodeURI(`https://${location.host}/api/credentials/share/${_.data.userLocale}/${R.userName}/${t?.credentialId}?sharingId=${R.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${t.title}&organizationId=${o}&issueYear=${n(t.awardedOn)}&issueMonth=${r(t.awardedOn)}&expirationYear=${t.expiresOn?n(t.expiresOn):""}&expirationMonth=${t.expiresOn?r(t.expiresOn):""}&certUrl=${e}&certId=${t.credentialId}&skills=${t.skills?`${t.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return m` equals www.linkedin.com (Linkedin)

Source: unknown

DNS traffic detected: queries for: js.monitor.azure.com

Source: unknown

HTTP traffic detected: POST /rest/v1/delivery?client=microsoftmscompoc&sessionId=0791c829041c4c068b787022a66647a2&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveContent-Length: 1111sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: text/plainAccept: */*Origin: https://learn.microsoft.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE; MSCC=NR; at_check=true; mbox=session#0791c829041c4c068b787022a66647a2#1713944147

Source: WAXD480.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl19/
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_93.3.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_85.3.dr, chromecache_103.3.dr	String found in binary or memory: http://www.gimp.org/xmp/
Source: chromecache_93.3.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_94.3.dr	String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_94.3.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_93.3.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_94.3.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_93.3.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_93.3.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_93.3.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_94.3.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_94.3.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_94.3.dr	String found in binary or memory: https://github.com/$
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_94.3.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_94.3.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_77.3.dr, chromecache_94.3.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_93.3.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_94.3.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_94.3.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_94.3.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_94.3.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_94.3.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_94.3.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_94.3.dr	String found in binary or memory: https://schema.org
Source: chromecache_94.3.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_94.3.dr	String found in binary or memory: https://www.cafbaseline.com/
Source: chromecache_94.3.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_94.3.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49835 version: TLS 1.2

PE file does not import any functions

Source: WAXD480.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: WAXD480.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WAXD480.exe

Binary string: a\Device\HarddiskVolume4\Windows>

Source: classification engine

Classification label: clean3.winEXE@25/61@12/7

Source: WAXD480.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WAXD480.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WAXD480.exe "C:\Users\user\Desktop\WAXD480.exe"
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=2028,i,4872466835619599832,212431843967096772,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,12553455973178745463,2557296557389022246,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=2028,i,4872466835619599832,212431843967096772,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,12553455973178745463,2557296557389022246,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\WAXD480.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WAXD480.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WAXD480.exe

Static file information: File size 14544896 > 1048576

Source: WAXD480.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WAXD480.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains a suspicious time stamp

Source: WAXD480.exe

Static PE information: 0xFF7D5888 [Sat Oct 31 03:59:04 2105 UTC]

Source: WAXD480.exe, 00000000.00000002.1765382088.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WAXD480.exe, 00000000.00000002.1765382088.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.101.104	www.google.com	United States	15169	GOOGLEUS	false
52.40.13.65	dcs-public-edge-usw2-219535174.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
63.140.37.206	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
13.107.213.69	part-0041.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
63.140.36.51	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
adobetarget.data.adobedc.net	63.140.36.145	true
part-0041.t-0009.t-msedge.net	13.107.213.69	true
dcs-public-edge-usw2-219535174.us-west-2.elb.amazonaws.com	52.40.13.65	true
www.google.com	142.250.101.104	true
js.monitor.azure.com	unknown	unknown
microsoftmscompoc.tt.omtrdc.net	unknown	unknown
mdec.nelreports.net	unknown	unknown
mscom.demdex.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	false		high

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 100	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced	522037F008E03C9448AE0AAAF09E93CB	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
Chrome Cache Entry: 101	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced	F6EC97C43480D41695065AD55A97B382	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
Chrome Cache Entry: 102	JSON data	EF6E83E1C6E863A122281F71DD8020B4	CEA054B197D99548088012C2E011F3BA5DB8CE60	B22DAC9B489D9184B1FFE6A4981CAE6C350557D2E7B3378FED8B2A20D41DEB70
Chrome Cache Entry: 103	PNG image data, 1300 x 300, 8-bit colormap, non-interlaced	049412F03408193F0103637411B42627	540DA51436D5A9E305BB113FD522B91448348813	BA778D4F93DBB62ED50333A967DBC34BB1FD5C9B45ED90B7366D72BD6A2955DB
Chrome Cache Entry: 104	ASCII text, with very long lines (65409)	B6C6F82EAC50F30FFCC090FA845F53F0	1B84A3B53A340BA59171800DF683D15418DD09D3	7D960385011DDFE6CC859E56D4302DEDA71FDB2D90655E907C14E77D2DCBC8A5
Chrome Cache Entry: 105	JSON data	B446C5E0EE48273D54D308DDD35F954A	AF12E4273BE6F0A860589CE36E08920BD2C8CAC2	7A0A2780A1A8977683EF113DEA438AB2ECA1B99DA9CF67854662D51E08E6BF15
Chrome Cache Entry: 106	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	240C4CC15D9FD65405BB642AB81BE615	5A66783FE5DD932082F40811AE0769526874BFD3	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
Chrome Cache Entry: 69	ASCII text, with CRLF line terminators	020629EBA820F2E09D8CDA1A753C032B	D91A65036E4C36B07AE3641E32F23F8DD616BD17	F8AE8A1DC7CE7877B9FB9299183D2EBB3BEFAD0B6489AE785D99047EC2EB92D1
Chrome Cache Entry: 70	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	512625CF8F40021445D74253DC7C28C0	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
Chrome Cache Entry: 71	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	240C4CC15D9FD65405BB642AB81BE615	5A66783FE5DD932082F40811AE0769526874BFD3	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
Chrome Cache Entry: 72	SVG Scalable Vector Graphics image	37258A983459AE1C2E4F1E551665F388	603A4E9115E613CC827206CF792C62AEB606C941	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
Chrome Cache Entry: 73	JSON data	B446C5E0EE48273D54D308DDD35F954A	AF12E4273BE6F0A860589CE36E08920BD2C8CAC2	7A0A2780A1A8977683EF113DEA438AB2ECA1B99DA9CF67854662D51E08E6BF15
Chrome Cache Entry: 74	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	3062488F9D119C0D79448BE06ED140D8	8A148951C894FC9E968D3E46589A2E978267650E	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
Chrome Cache Entry: 75	ASCII text, with no line terminators	0B04EA412F8FC88B51398B1CBF38110E	E073BCC5A03E7BBA2A16CF201A3CED1BE7533FBF	7562254FF78FD854F0A8808E75A406F5C6058B57B71514481DAE490FC7B8F4C3
Chrome Cache Entry: 76	JSON data	3B80CDF2C3556CFE9458577B5F2360B7	025EB63D8AB421A9E61F88D4924BEB11051B6411	B72F34156103B51FD1F07E0ECB8958EAD34586C378FD383AE962EC927DB90F7D
Chrome Cache Entry: 77	ASCII text, with very long lines (54649), with CRLF line terminators	A76A653DAAA136B17D3ABB880C159606	CEACBC85439BC26B17CB6B4422A8907CF446469C	F50053CCD6D8CD18E2736166CE8376BBA8BC673C49AF7D96DFB8DFF7EC9BF715
Chrome Cache Entry: 78	JSON data	3B80CDF2C3556CFE9458577B5F2360B7	025EB63D8AB421A9E61F88D4924BEB11051B6411	B72F34156103B51FD1F07E0ECB8958EAD34586C378FD383AE962EC927DB90F7D
Chrome Cache Entry: 79	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	3062488F9D119C0D79448BE06ED140D8	8A148951C894FC9E968D3E46589A2E978267650E	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
Chrome Cache Entry: 80	ASCII text, with very long lines (52717), with no line terminators	413FCC759CC19821B61B6941808B29B5	1AD23B8A202043539C20681B1B3E9F3BC5D55133	DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
Chrome Cache Entry: 81	exported SGML document, ASCII text, with very long lines (65536), with no line terminators	2E00D51C98DBB338E81054F240E1DEB2	D33BAC6B041064AE4330DCC2D958EBE4C28EBE58	300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
Chrome Cache Entry: 82	JSON data	9E576E34B18E986347909C29AE6A82C6	532C767978DC2B55854B3CA2D2DF5B4DB221C934	88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
Chrome Cache Entry: 83	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	512625CF8F40021445D74253DC7C28C0	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
Chrome Cache Entry: 84	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 85	PNG image data, 1300 x 300, 8-bit colormap, non-interlaced	049412F03408193F0103637411B42627	540DA51436D5A9E305BB113FD522B91448348813	BA778D4F93DBB62ED50333A967DBC34BB1FD5C9B45ED90B7366D72BD6A2955DB
Chrome Cache Entry: 86	JSON data	F42D394130C9AE372121C3758F7E266C	E36A7E780DF38D21BF955099234684147D88A857	5D785C46FC1C27EB4A0862D554BD5CBCDA0847B9130E941FABD811F1BE3543CE
Chrome Cache Entry: 87	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 88	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced	F6EC97C43480D41695065AD55A97B382	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
Chrome Cache Entry: 89	ASCII text, with very long lines (31341), with no line terminators	40998D414F58B4779CB09C4FD275B92E	5D91AAF653083BD6A569852C0E62341F4F313655	DD7F4EDCF142A2D2A22E386A7F3A7255B018B71300B53BEFA44C157164FFE5DC
Chrome Cache Entry: 90	JSON data	F42D394130C9AE372121C3758F7E266C	E36A7E780DF38D21BF955099234684147D88A857	5D785C46FC1C27EB4A0862D554BD5CBCDA0847B9130E941FABD811F1BE3543CE
Chrome Cache Entry: 91	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced	522037F008E03C9448AE0AAAF09E93CB	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
Chrome Cache Entry: 92	ASCII text, with very long lines (65536), with no line terminators	28B3D9EF4FB3FE3AA48C704124C2BCD5	F1148DB35D3165F3D6C50545408E5C79EFFB56AE	E84AB90255653A651CCCC086CDDB6307AF2655D86DA25575440EEF70987EEE17
Chrome Cache Entry: 93	HTML document, ASCII text, with very long lines (516), with CRLF, LF line terminators	57C4BF4CBA569B59AE4F8B2E2AFF92E6	44D04AEE0C53992C7856A17B374625C965E507CA	1BF81EC2DD111875C29E560EF08830E5F3B0C3484930CBBDCA9A5E8643883294
Chrome Cache Entry: 94	ASCII text, with very long lines (46321), with CRLF line terminators	FD94A091A5D455AC0D3BB4354D4A3BAC	77AC0A4BE61BBE4188592A9D1682F3F89D2D1B99	81A560F924B0816E2C10E09BB2302E42E866E5B50F31DD6BFD7546D9348DF757
Chrome Cache Entry: 95	JSON data	EF6E83E1C6E863A122281F71DD8020B4	CEA054B197D99548088012C2E011F3BA5DB8CE60	B22DAC9B489D9184B1FFE6A4981CAE6C350557D2E7B3378FED8B2A20D41DEB70
Chrome Cache Entry: 96	JSON data	9E576E34B18E986347909C29AE6A82C6	532C767978DC2B55854B3CA2D2DF5B4DB221C934	88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
Chrome Cache Entry: 97	Web Open Font Format (Version 2), TrueType, length 18320, version 1.0	9D54AEA8133FC8CC3DCAE9ECAFF9EF95	E9EB3E8F79B2AE8F096A2079F9FA5CDE72878B13	43D0F83450A823F30B31DDAA4BF709EFBD6091AC7F0669ADA5533D989CB0CF01
Chrome Cache Entry: 98	SVG Scalable Vector Graphics image	37258A983459AE1C2E4F1E551665F388	603A4E9115E613CC827206CF792C62AEB606C941	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
Chrome Cache Entry: 99	ASCII text, with very long lines (31341), with no line terminators	40998D414F58B4779CB09C4FD275B92E	5D91AAF653083BD6A569852C0E62341F4F313655	DD7F4EDCF142A2D2A22E386A7F3A7255B018B71300B53BEFA44C157164FFE5DC

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Uses 32bit PE files

Source: WAXD480.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49835 version: TLS 1.2

Source: WAXD480.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 63.140.37.206 63.140.37.206
Source: Joe Sandbox View	IP Address: 13.107.213.69 13.107.213.69
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 63.140.36.51 63.140.36.51

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.57.177
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=0791c829041c4c068b787022a66647a2&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE; MSCC=NR; at_check=true; mbox=session#0791c829041c4c068b787022a66647a2#1713944149\|PC#0791c829041c4c068b787022a66647a2.35_0#1748122289
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gztnYs+RTGfK+AB&MD=PdPVE7VN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=0791c829041c4c068b787022a66647a2&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MC1=GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917; MUID=375E6F2E0D8F6B9C2CEB7C8E098F6DFE; MSCC=NR; at_check=true; mbox=session#0791c829041c4c068b787022a66647a2#1713944151\|PC#0791c829041c4c068b787022a66647a2.35_0#1748122289; MS0=1e372c3aab014af7b628c367b32124df
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gztnYs+RTGfK+AB&MD=PdPVE7VN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_94.3.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(e)}&text=${encodeURIComponent(dS.replace("{credentialName}",t.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_94.3.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_94.3.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_94.3.dr	String found in binary or memory: </div>`;w(e,t)}}function kA(t){x.documentElement.classList.add("api-search-has-results");for(let{container:e}of vy)e.textContent=t}function Xne(){x.documentElement.classList.remove("api-search-has-results");for(let{container:t}of vy)t.innerHTML=""}function iEe(t,e){let o=dt(),n,r;if(o==="")n=_r[Rt].displayName,r=null;else{let a=e.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=x.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=m`${EA.resultsHeadingTemplate.replace("{platformName}",n)}`;if(w(i,s),r!==null&&Rt==="rest"){let a=m`${ee(`${Oe(o)} REST ${EA.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;w(a,s)}else if(r!==null){let a=m`${ee(`${EA.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Oe(r)}</span>`)}`;w(a,s)}t.appendChild(s)}function o1(t,e){if(e!==""&&!/[?&]view=/i.test(t)){let[n,r]=t.split("#");r=r===void 0?"":"#"+r,t=Rt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(e)}${r}`}let o=new URL(t,location.origin);return t=`${o.pathname}${o.search}${o.hash}`,Rt!=="rest"&&(t=`/${_.data.userLocale}${t}`),t}var fm="api-search-term-changed",Ch="";function gm(){return Ch}function n1(t){t=t.trim(),t!==Ch&&(Ch=t,_.data.pageTemplate==="ApiBrowserPage"&&Mt({term:Ch},"pushState"),window.dispatchEvent(new CustomEvent(fm,{detail:{term:Ch}})))}function Zne(){let t=oe().term;return t===void 0?"":t.trim()}_.data.pageTemplate==="ApiBrowserPage"&&(Ch=Zne(),window.addEventListener("popstate",()=>n1(Zne())));function ere(){q.addEventListener(fm,r1),q.addEventListener(Mr,r1),_.data.pageTemplate==="ApiBrowserPage"&&r1()}var AA="";function r1(){let t=gm(),e=dt(),o=`${t}/${e}`;return o===AA?Promise.resolve():(AA=o,_.data.pageTemplate==="ApiBrowserPage"&&e!==""&&t===""?(t1(),Promise.all([Wne(Rt,e,_.data.userLocale),il()]).then(([n,r])=>{if(o===AA){if(n.apiItems.length===0){kA(Xo);return}CA(r,n.apiItems,null)}},()=>{kA(TP)})):t.length<3?(Xne(),Promise.resolve()):_r[Rt].validSearchTerm.test(t)?(t1(),Promise.all([wA(Rt,e,t,_.data.userLocale),il()]).then(([n,r])=>{o===AA&&(s1(e,t,n.results.length),CA(r,n.results,n["@nextLink"]))},()=>{kA(TP)})):il().then(n=>CA(n,[],null)))}function s1(t,e,o){Ge({actionType:He.OTHER,behavior:Ee.SEARCH,content:{event:"api-browser-search",platform:Rt,moniker:t,term:e,results:o}})}var tre="api-search-field";function ore(){let t=x.createElement("form");t.classList.add(tre,"margin-top-xxs"),t.setAttribute(To.name,tre),t.action="javascript:",t.addEventListener("submit",l=>l.preventDefault());let e=x.createElement("label"),o=x.createElement("span");o.classList.add("visually-hidden"),o.textContent=mo,e.appendChild(o),t.appendChild(e);let n=x.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=gm(),n.placeholder=mo,e.appendChild(n);let r=x.createElement("a");r.href="#",r.title=_2,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(
Source: chromecache_94.3.dr	String found in binary or memory: </div>`;w(e,t)}}function kA(t){x.documentElement.classList.add("api-search-has-results");for(let{container:e}of vy)e.textContent=t}function Xne(){x.documentElement.classList.remove("api-search-has-results");for(let{container:t}of vy)t.innerHTML=""}function iEe(t,e){let o=dt(),n,r;if(o==="")n=_r[Rt].displayName,r=null;else{let a=e.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=x.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=m`${EA.resultsHeadingTemplate.replace("{platformName}",n)}`;if(w(i,s),r!==null&&Rt==="rest"){let a=m`${ee(`${Oe(o)} REST ${EA.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;w(a,s)}else if(r!==null){let a=m`${ee(`${EA.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Oe(r)}</span>`)}`;w(a,s)}t.appendChild(s)}function o1(t,e){if(e!==""&&!/[?&]view=/i.test(t)){let[n,r]=t.split("#");r=r===void 0?"":"#"+r,t=Rt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(e)}${r}`}let o=new URL(t,location.origin);return t=`${o.pathname}${o.search}${o.hash}`,Rt!=="rest"&&(t=`/${_.data.userLocale}${t}`),t}var fm="api-search-term-changed",Ch="";function gm(){return Ch}function n1(t){t=t.trim(),t!==Ch&&(Ch=t,_.data.pageTemplate==="ApiBrowserPage"&&Mt({term:Ch},"pushState"),window.dispatchEvent(new CustomEvent(fm,{detail:{term:Ch}})))}function Zne(){let t=oe().term;return t===void 0?"":t.trim()}_.data.pageTemplate==="ApiBrowserPage"&&(Ch=Zne(),window.addEventListener("popstate",()=>n1(Zne())));function ere(){q.addEventListener(fm,r1),q.addEventListener(Mr,r1),_.data.pageTemplate==="ApiBrowserPage"&&r1()}var AA="";function r1(){let t=gm(),e=dt(),o=`${t}/${e}`;return o===AA?Promise.resolve():(AA=o,_.data.pageTemplate==="ApiBrowserPage"&&e!==""&&t===""?(t1(),Promise.all([Wne(Rt,e,_.data.userLocale),il()]).then(([n,r])=>{if(o===AA){if(n.apiItems.length===0){kA(Xo);return}CA(r,n.apiItems,null)}},()=>{kA(TP)})):t.length<3?(Xne(),Promise.resolve()):_r[Rt].validSearchTerm.test(t)?(t1(),Promise.all([wA(Rt,e,t,_.data.userLocale),il()]).then(([n,r])=>{o===AA&&(s1(e,t,n.results.length),CA(r,n.results,n["@nextLink"]))},()=>{kA(TP)})):il().then(n=>CA(n,[],null)))}function s1(t,e,o){Ge({actionType:He.OTHER,behavior:Ee.SEARCH,content:{event:"api-browser-search",platform:Rt,moniker:t,term:e,results:o}})}var tre="api-search-field";function ore(){let t=x.createElement("form");t.classList.add(tre,"margin-top-xxs"),t.setAttribute(To.name,tre),t.action="javascript:",t.addEventListener("submit",l=>l.preventDefault());let e=x.createElement("label"),o=x.createElement("span");o.classList.add("visually-hidden"),o.textContent=mo,e.appendChild(o),t.appendChild(e);let n=x.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=gm(),n.placeholder=mo,e.appendChild(n);let r=x.createElement("a");r.href="#",r.title=_2,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(
Source: chromecache_94.3.dr	String found in binary or memory: </div>`;w(e,t)}}function kA(t){x.documentElement.classList.add("api-search-has-results");for(let{container:e}of vy)e.textContent=t}function Xne(){x.documentElement.classList.remove("api-search-has-results");for(let{container:t}of vy)t.innerHTML=""}function iEe(t,e){let o=dt(),n,r;if(o==="")n=_r[Rt].displayName,r=null;else{let a=e.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=x.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=m`${EA.resultsHeadingTemplate.replace("{platformName}",n)}`;if(w(i,s),r!==null&&Rt==="rest"){let a=m`${ee(`${Oe(o)} REST ${EA.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;w(a,s)}else if(r!==null){let a=m`${ee(`${EA.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Oe(r)}</span>`)}`;w(a,s)}t.appendChild(s)}function o1(t,e){if(e!==""&&!/[?&]view=/i.test(t)){let[n,r]=t.split("#");r=r===void 0?"":"#"+r,t=Rt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(e)}${r}`}let o=new URL(t,location.origin);return t=`${o.pathname}${o.search}${o.hash}`,Rt!=="rest"&&(t=`/${_.data.userLocale}${t}`),t}var fm="api-search-term-changed",Ch="";function gm(){return Ch}function n1(t){t=t.trim(),t!==Ch&&(Ch=t,_.data.pageTemplate==="ApiBrowserPage"&&Mt({term:Ch},"pushState"),window.dispatchEvent(new CustomEvent(fm,{detail:{term:Ch}})))}function Zne(){let t=oe().term;return t===void 0?"":t.trim()}_.data.pageTemplate==="ApiBrowserPage"&&(Ch=Zne(),window.addEventListener("popstate",()=>n1(Zne())));function ere(){q.addEventListener(fm,r1),q.addEventListener(Mr,r1),_.data.pageTemplate==="ApiBrowserPage"&&r1()}var AA="";function r1(){let t=gm(),e=dt(),o=`${t}/${e}`;return o===AA?Promise.resolve():(AA=o,_.data.pageTemplate==="ApiBrowserPage"&&e!==""&&t===""?(t1(),Promise.all([Wne(Rt,e,_.data.userLocale),il()]).then(([n,r])=>{if(o===AA){if(n.apiItems.length===0){kA(Xo);return}CA(r,n.apiItems,null)}},()=>{kA(TP)})):t.length<3?(Xne(),Promise.resolve()):_r[Rt].validSearchTerm.test(t)?(t1(),Promise.all([wA(Rt,e,t,_.data.userLocale),il()]).then(([n,r])=>{o===AA&&(s1(e,t,n.results.length),CA(r,n.results,n["@nextLink"]))},()=>{kA(TP)})):il().then(n=>CA(n,[],null)))}function s1(t,e,o){Ge({actionType:He.OTHER,behavior:Ee.SEARCH,content:{event:"api-browser-search",platform:Rt,moniker:t,term:e,results:o}})}var tre="api-search-field";function ore(){let t=x.createElement("form");t.classList.add(tre,"margin-top-xxs"),t.setAttribute(To.name,tre),t.action="javascript:",t.addEventListener("submit",l=>l.preventDefault());let e=x.createElement("label"),o=x.createElement("span");o.classList.add("visually-hidden"),o.textContent=mo,e.appendChild(o),t.appendChild(e);let n=x.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=gm(),n.placeholder=mo,e.appendChild(n);let r=x.createElement("a");r.href="#",r.title=_2,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(
Source: chromecache_94.3.dr	String found in binary or memory: </div>`}function gCe(t){return t.authenticationModes?t.authenticationModes.map(e=>e.type).includes("MSA"):!1}function hCe(t){let e=t.authenticationModes.find(o=>o.type==="MSA");return e?e.upn:null}function bCe(t){let e=t.authenticationModes.find(o=>o.type==="AAD");return e?e.upn:null}function _Ce(t,e,o){return e??(Qt(t.email)?o:t.email)??""}function $re(t){let e=gCe(t),o=e?hCe(t):null,n=e?null:bCe(t),r=_Ce(t,o,n);return[e,r]}function vCe(t,e){let[o,n]=$re(e);if(o){let i=t.querySelector("#report-msa-email-account");i.innerText=n}let r=t.querySelector("#opt-into-email-checkbox"),s=t.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function yCe(t){if(!t)return;let e=t.querySelector("#select-reason"),o=t.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!e\|\|!o\|\|!n\|\|(e.value==="Other"&&(o.hidden=!1,n.required=!0),e.addEventListener("change",()=>{e.value==="Other"\|\|e.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var oo;function Nre(){let t=document.getElementById("share-to-linkedin-profile");t&&t.addEventListener("click",e=>{let o=e.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=xCe(n);w(s,r),oo=new Se(r),oo.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function xCe(t){let e=encodeURI(`https://${location.host}/api/credentials/share/${_.data.userLocale}/${R.userName}/${t?.credentialId}?sharingId=${R.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${t.title}&organizationId=${o}&issueYear=${n(t.awardedOn)}&issueMonth=${r(t.awardedOn)}&expirationYear=${t.expiresOn?n(t.expiresOn):""}&expirationMonth=${t.expiresOn?r(t.expiresOn):""}&certUrl=${e}&certId=${t.credentialId}&skills=${t.skills?`${t.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return m` equals www.linkedin.com (Linkedin)

Source: unknown

DNS traffic detected: queries for: js.monitor.azure.com

Source: unknown

Source: WAXD480.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl19/
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_94.3.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_93.3.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_85.3.dr, chromecache_103.3.dr	String found in binary or memory: http://www.gimp.org/xmp/
Source: chromecache_93.3.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_94.3.dr	String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_94.3.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_93.3.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_94.3.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_93.3.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_93.3.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_93.3.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_94.3.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_94.3.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_94.3.dr	String found in binary or memory: https://github.com/$
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_94.3.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_94.3.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_77.3.dr, chromecache_94.3.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_93.3.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_93.3.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_94.3.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_94.3.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_94.3.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_94.3.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_94.3.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_94.3.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_94.3.dr	String found in binary or memory: https://schema.org
Source: chromecache_94.3.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_94.3.dr	String found in binary or memory: https://www.cafbaseline.com/
Source: chromecache_94.3.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_94.3.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.202.57.177:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49835 version: TLS 1.2

PE file does not import any functions

Source: WAXD480.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: WAXD480.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WAXD480.exe

Binary string: a\Device\HarddiskVolume4\Windows>

Source: classification engine

Classification label: clean3.winEXE@25/61@12/7

Source: WAXD480.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WAXD480.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WAXD480.exe "C:\Users\user\Desktop\WAXD480.exe"
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=2028,i,4872466835619599832,212431843967096772,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,12553455973178745463,2557296557389022246,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=2028,i,4872466835619599832,212431843967096772,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,12553455973178745463,2557296557389022246,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\WAXD480.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WAXD480.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WAXD480.exe

Static file information: File size 14544896 > 1048576

Source: WAXD480.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WAXD480.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains a suspicious time stamp

Source: WAXD480.exe

Static PE information: 0xFF7D5888 [Sat Oct 31 03:59:04 2105 UTC]

Source: WAXD480.exe, 00000000.00000002.1765382088.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WAXD480.exe, 00000000.00000002.1765382088.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\WAXD480.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WAXD480.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

ID:	1430820
Product:	CloudBasic
Start time:	09:03:40
Start date:	24.04.2024
Sample:	WAXD480.tmp
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7f1ffc9be9757477a8a39cb06d5032c8
SHA1:	31a174cb6a0d6b4f59529235d8efdb5bf5cca94a
SHA256:	f9a43eaa4e4ba619d3470762e5cd4226ad707f59bd89d892584df2771089ef3d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report
WAXD480.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report WAXD480.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
WAXD480.exe