Edit tour

Windows Analysis Report
{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml

Overview

General Information

Sample name:	{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml
Analysis ID:	1541127
MD5:	2d3c508321b32b43ee4192d54bc0ed15
SHA1:	e60a6dc0e6374c5adffce59e1b34635769e39767
SHA256:	96003b2bc14e105d7649310c9f5f0cb1b71c809a17b07a6456be4e4841cba187
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Maps a DLL or memory area into another process

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

Potential browser exploit detected (process start blacklist hit)

Sigma detected: Use Short Name Path in Command Line

Classification

Process Tree

System is w10x64

MSOXMLED.EXE (PID: 4484 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml" MD5: A2E6E2A1C125973A4967540FD08C9AF0)

iexplore.exe (PID: 1020 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 5924 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ie_to_edge_stub.exe (PID: 6524 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c MD5: 89CF8972D683795DAB6901BC9456675D)

msedge.exe (PID: 5500 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7320 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2148,i,17130950267540690854,13973253162782942083,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

ssvagent.exe (PID: 3452 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

msedge.exe (PID: 7336 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7664 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2828 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8360 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 8580 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 8600 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 8284 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6864 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=2092,i,1275717734434222331,13943601166396774442,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7424 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2176,i,13810906325023881848,113091338376837868,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 5924, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 3452, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 1020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Source: global traffic

TCP traffic: 192.168.2.4:60213 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.246.57 13.107.246.57
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.95
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.57
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.232.182
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1730374811&P2=404&P3=2&P4=eyEJMar66EjaXc1c2IncUP9ze73ukP9o%2fV0XCTSV%2foCCD6NGtFh0LNITjmaYIDF19tiwKN%2bYOzX5ESmgnNrXsA%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: ALZO8dbXCPrwsCnxqsS2LgSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: msapplication.xml1.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8e1a23a1,0x01db2609</date><accdate>0x8e1c98b9,0x01db2609</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8e23ba83,0x01db2609</date><accdate>0x8e2603e1,0x01db2609</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8e28755b,0x01db2609</date><accdate>0x8e29b5d8,0x01db2609</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ar.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ar.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ar.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ar.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://au.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://au.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://au.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://au.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://br.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://br.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://br.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://br.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ca.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ca.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ca.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ca.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://cf.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://cl.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://cl.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://co.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://co.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://de.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://de.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://de.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://de.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://es.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://es.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://es.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://es.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://espanol.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://espanol.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://espanol.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://espanol.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://fr.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://fr.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://fr.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://fr.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://hk.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://hk.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://id.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://id.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ie.search.yahoo.com/os?appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://in.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://in.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://in.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://it.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://it.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://it.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://kr.search.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://kr.search.yahoo.com/ei=UTF-8&fr=yie8ms&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://kr.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://kr.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://kr.searchcenter.yahoo.com/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://livesearch.msn.co.kr/
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://malaysia.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://mx.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://nz.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://nz.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://pe.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://pe.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ph.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://qc.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://qc.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ru.search.yahoo.com
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.cn.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sg.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.ar.search.yahoo.com/os?market=ar&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.au.search.yahoo.com/os?market=au&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.ca.search.yahoo.com/os?market=ca&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.de.search.yahoo.com/os?market=de&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.e1.search.yahoo.com/os?market=e1&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.es.search.yahoo.com/os?market=es&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.fr.search.yahoo.com/os?market=fr&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.hk.search.yahoo.com/os?market=hk&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.id.search.yahoo.com/os?market=id&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.in.search.yahoo.com/os?market=in&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.it.search.yahoo.com/os?market=it&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.mx.search.yahoo.com/os?market=mx&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.my.search.yahoo.com/os?market=my&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.nz.search.yahoo.com/os?market=nz&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.ph.search.yahoo.com/os?market=ph&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.qc.search.yahoo.com/os?market=qc&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.th.search.yahoo.com/os?market=th&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.tw.search.yahoo.com/os?market=tw&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.uk.search.yahoo.com/os?market=uk&appid=ie8&command=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://th.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://tw.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://uk.search.yahoo.com/search?p=
Source: KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ve.search.yahoo.com/
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://ve.search.yahoo.com/search?p=
Source: known_providers_download_v1[1].xml.1.dr	String found in binary or memory: http://vn.search.yahoo.com/search?p=
Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.1.dr	String found in binary or memory: http://www.youtube.com/
Source: Network Persistent State0.8.dr, 91c92e27-0daa-4221-ae09-6c06441a1433.tmp.9.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: manifest.json0.8.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json0.8.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: fc04b53c-54ca-4b24-a922-9aadf29d9a5d.tmp.9.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.8.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: fc04b53c-54ca-4b24-a922-9aadf29d9a5d.tmp.9.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json.8.dr	String found in binary or memory: https://docs.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive.google.com/
Source: 000003.log7.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: content_new.js.8.dr, content.js.8.dr	String found in binary or memory: https://www.google.com/chrome
Source: fc04b53c-54ca-4b24-a922-9aadf29d9a5d.tmp.9.dr	String found in binary or memory: https://www.googleapis.com
Source: Top Sites.8.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.8.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 60217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60215
Source: unknown	Network traffic detected: HTTP traffic on port 60216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 60215 -> 443

Source: classification engine

Classification label: sus22.evad.winXML@57/314@10/6

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF94EA510BB99C4B82.TMP

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE "C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml"
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2148,i,17130950267540690854,13973253162782942083,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2828 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=2092,i,1275717734434222331,13943601166396774442,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2176,i,13810906325023881848,113091338376837868,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2148,i,17130950267540690854,13973253162782942083,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2828 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=2092,i,1275717734434222331,13943601166396774442,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2176,i,13810906325023881848,113091338376837868,262144 /prefetch:3

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: appvisvsubsystems32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: c2r32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ie_to_edge_stub.exe, 00000003.00000002.1756574524.000002A803C13000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://chromewebstore.google.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	unknown
googlehosted.l.googleusercontent.com	216.58.206.65	true	false	unknown
sni1gl.wpc.nucdn.net	152.199.21.175	true	false	unknown
clients2.googleusercontent.com	unknown	unknown	false	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	unknown
200.163.202.172.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://id.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://in.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://au.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://pe.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://br.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://es.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.yahoo.com/favicon.ico	known_providers_download_v1[1].xml.1.dr	false		unknown
http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://it.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://br.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://malaysia.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://co.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://fr.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://docs.google.com/	manifest.json.8.dr	false		unknown
http://sugg-ie.in.search.yahoo.com/os?market=in&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.live.com/results.aspx?FORM=SOLTDF&q=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.th.search.yahoo.com/os?market=th&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://ve.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.sg.search.yahoo.com/os?market=sg&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.es.search.yahoo.com/os?market=es&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.cn.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.ar.search.yahoo.com/os?market=ar&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://drive.google.com/	manifest.json.8.dr	false		unknown
http://ar.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://livesearch.msn.co.kr/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sg.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://au.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://ph.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://qc.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://www.reddit.com/	msapplication.xml5.1.dr	false		unknown
http://sugg-ie.vn.search.yahoo.com/os?market=vn&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://ca.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://www.office.com/	Top Sites.8.dr	false		unknown
http://cf.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://tw.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://hk.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://espanol.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://drive-daily-2.corp.google.com/	manifest.json.8.dr	false		unknown
https://drive-daily-4.corp.google.com/	manifest.json.8.dr	false		unknown
http://ar.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.msn.co.jp/results.aspx?q=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.ph.search.yahoo.com/os?market=ph&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sg.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://kr.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.msn.co.uk/results.aspx?q=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.nz.search.yahoo.com/os?market=nz&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://espanol.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://fr.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://ca.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://ph.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
https://drive-daily-1.corp.google.com/	manifest.json.8.dr	false		unknown
http://kr.search.yahoo.com/ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://drive-daily-5.corp.google.com/	manifest.json.8.dr	false		unknown
http://cl.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://hk.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://uk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://mx.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.ca.search.yahoo.com/os?market=ca&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.de.search.yahoo.com/os?market=de&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://vn.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
https://www.google.com/chrome	content_new.js.8.dr, content.js.8.dr	false		unknown
http://sugg-ie.au.search.yahoo.com/os?market=au&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://www.youtube.com/	msapplication.xml8.1.dr	false		unknown
http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://chromewebstore.google.com/	manifest.json0.8.dr	false	URL Reputation: safe	unknown
http://hk.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://tw.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
https://drive-preprod.corp.google.com/	manifest.json.8.dr	false		unknown
https://chrome.google.com/webstore/	manifest.json0.8.dr	false		unknown
http://sugg-ie.it.search.yahoo.com/os?market=it&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://ca.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://es.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://espanol.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://br.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.mx.search.yahoo.com/os?market=mx&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://it.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://it.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.hk.search.yahoo.com/os?market=hk&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://in.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		unknown
http://th.search.yahoo.com/search?p=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://cnweb.search.live.com/results.aspx?q=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://co.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://www.twitter.com/	msapplication.xml6.1.dr	false		unknown
http://au.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://search.live.com/results.aspx?q=	known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.e1.search.yahoo.com/os?market=e1&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://sugg-ie.tw.search.yahoo.com/os?market=tw&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://malaysia.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://nz.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://es.search.yahoo.com/	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
https://drive-staging.corp.google.com/	manifest.json.8.dr	false		unknown
http://sugg-ie.uk.search.yahoo.com/os?market=uk&appid=ie8&command=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://de.search.yahoo.com/search?ei=UTF-8&fr=yie8ms&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown
http://kr.search.yahoo.com/search?ei=UTF-8&fr=yie7c&p=	KnoC6F0.tmp.1.dr, known_providers_download_v1[1].xml.1.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.57	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.58.206.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
142.250.114.95	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.218.232.182	unknown	United States	24835	RAYA-ASEG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541127
Start date and time:	2024-10-24 13:39:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml
Detection:	SUS
Classification:	sus22.evad.winXML@57/314@10/6
Cookbook Comments:	Found application associated with file extension: .xml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 13.107.42.16, 204.79.197.239, 13.107.21.239, 142.250.185.238, 2.23.209.162, 2.23.209.157, 2.23.209.152, 2.23.209.155, 2.23.209.159, 2.23.209.154, 2.23.209.158, 2.23.209.160, 2.23.209.156, 204.79.197.200, 142.250.114.94, 142.250.113.94, 142.250.115.94
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, ieonline.microsoft.com, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, otelrules.azureedge.net, wildcardtlu-ssl.ec.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, edge.microsoft.com, fe3cr.delivery.mp.microsoft.com, wildcardtlu-ssl.azureedge.net, any.edge.bing.com, l-0007.config.skype.com, go.microsoft.com.edgekey.net, clients.l.google.com, msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com, dual-a-0036.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: {89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml

Simulations

Behavior and APIs

Time	Type	Description
12:40:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
12:40:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse
	Demande de proposition du CPE Les Coquins.pdf	Get hash	malicious	Unknown	Browse
	Demande de proposition du CPE Les Coquins.pdf	Get hash	malicious	Unknown	Browse
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUS	Get hash	malicious	Unknown	Browse
	Scan copy of document .pdf	Get hash	malicious	Unknown	Browse
	fedcap.67173a0a3d25d0.95038392.pdf	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_1a8e4ebbcc2e3f76efb2a55bb6179417263ebf3d.zip	Get hash	malicious	Unknown	Browse
	[EXTERNAL] Redbrick Communications Request For Proposal .eml	Get hash	malicious	Unknown	Browse
	http://google.com	Get hash	malicious	Unknown	Browse
239.255.255.250	attachment(1).eml	Get hash	malicious	Unknown	Browse
	https://email.email.pandadoc.net/c/eJxUkE9r4zwQxj-NdUuQR5ItHXQobfwG3rLQsmHbXspIGjeqE8m1FYfm0y-B7f65DcP8ht_zBOsa4XrNQvanI6XyGoPN-f7_7ilGN8iYdk8Pn-dxt_vOyNYtmMZwDpztLRpXK45GaGy9C943vK2NJgTDG-WQRQscZM1B1AJaztfS904pGYLuOTQtVZLTEeNhPWIKGLJfJyoszq9lQk_oDmTLdCJ2sPtSxrkSNxV0FXQ4jn8Qn48VdF_6FXQLVKIreaBUiTvSzgiJNQeJqLDhSoJpBAanJYFWrZO1kb6uRMdSLrGPHkvM6VqDaxuBBtpVCyBWEkW9wkbTCsko1-galQ4sT2-Y4uU39N85y5jEfDMn83C50P6beDlv2WTDe040V5K702Ggj9NhvKqziZY4_2J_iM3H6W67XV7Uop9j2dyq0D-yYr_S_TWuCk5v9M9mvl4sFtg5T8M8oqfrU_W4od1nvwdHIdy798HfDs_6ZwAAAP__1K2kLg	Get hash	malicious	Unknown	Browse
	PO 635614 635613_CQDM.html	Get hash	malicious	HTMLPhisher	Browse
	https://railrent-railrent.powerappsportals.com/	Get hash	malicious	Unknown	Browse
	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exe	Get hash	malicious	Remcos	Browse
13.107.246.57	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUS	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_1a8e4ebbcc2e3f76efb2a55bb6179417263ebf3d.zip	Get hash	malicious	Unknown	Browse
	http://google.com	Get hash	malicious	Unknown	Browse
	https://r20.rs6.net/tn.jsp?t=ujqgb8abb.0.0.zumspjcab.0&id=preview&r=3&p=http%3A%2F%2Ffiles.constantcontact.com%2F99239f29001%2F765a22db-b453-4315-a344-dc2294500069.pdf	Get hash	malicious	Unknown	Browse
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse
	http://microsoft.biosency.com/	Get hash	malicious	Unknown	Browse
	http://serviceappinfms12.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	http://pub-3424228f58ac440c9523afb01100ed68.r2.dev/emerald.html	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	172.64.41.3
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	172.64.41.3
	https://www.filemail.com/t/cFCAI9C4	Get hash	malicious	HtmlDropper	Browse	172.64.41.3
	https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUS	Get hash	malicious	Unknown	Browse	172.64.41.3
	MDE_File_Sample_1a8e4ebbcc2e3f76efb2a55bb6179417263ebf3d.zip	Get hash	malicious	Unknown	Browse	162.159.61.3
	(No subject) (90).eml	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://google.com	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cjar.14389.14563.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cjar.14389.14563.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
sni1gl.wpc.nucdn.net	https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUS	Get hash	malicious	Unknown	Browse	152.199.21.175
	MDE_File_Sample_1a8e4ebbcc2e3f76efb2a55bb6179417263ebf3d.zip	Get hash	malicious	Unknown	Browse	152.199.21.175
	(No subject) (90).eml	Get hash	malicious	Unknown	Browse	152.199.21.175
	http://google.com	Get hash	malicious	Unknown	Browse	152.199.21.175
	Update.exe	Get hash	malicious	Naso	Browse	152.195.19.97
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	152.199.21.175
	SecuriteInfo.com.FileRepPup.24407.3577.exe	Get hash	malicious	Unknown	Browse	152.199.21.175
	36.msi	Get hash	malicious	Numando	Browse	152.199.21.175
	33.msi	Get hash	malicious	Numando	Browse	152.199.21.175
	QbAwyjyAk3.lnk	Get hash	malicious	Numando	Browse	152.199.21.175

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	attachment(1).eml	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://email.email.pandadoc.net/c/eJxUkE9r4zwQxj-NdUuQR5ItHXQobfwG3rLQsmHbXspIGjeqE8m1FYfm0y-B7f65DcP8ht_zBOsa4XrNQvanI6XyGoPN-f7_7ilGN8iYdk8Pn-dxt_vOyNYtmMZwDpztLRpXK45GaGy9C943vK2NJgTDG-WQRQscZM1B1AJaztfS904pGYLuOTQtVZLTEeNhPWIKGLJfJyoszq9lQk_oDmTLdCJ2sPtSxrkSNxV0FXQ4jn8Qn48VdF_6FXQLVKIreaBUiTvSzgiJNQeJqLDhSoJpBAanJYFWrZO1kb6uRMdSLrGPHkvM6VqDaxuBBtpVCyBWEkW9wkbTCsko1-galQ4sT2-Y4uU39N85y5jEfDMn83C50P6beDlv2WTDe040V5K702Ggj9NhvKqziZY4_2J_iM3H6W67XV7Uop9j2dyq0D-yYr_S_TWuCk5v9M9mvl4sFtg5T8M8oqfrU_W4od1nvwdHIdy798HfDs_6ZwAAAP__1K2kLg	Get hash	malicious	Unknown	Browse	150.171.28.10
	PO 635614 635613_CQDM.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.67
	atH4SE3Oi6.elf	Get hash	malicious	Mirai	Browse	13.107.215.82
	https://railrent-railrent.powerappsportals.com/	Get hash	malicious	Unknown	Browse	13.107.253.45
	powerpc.elf	Get hash	malicious	Unknown	Browse	20.202.12.198
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	22.91.39.83
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	52.125.155.167
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	13.107.253.44
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	22.205.171.212
CLOUDFLARENETUS	attachment(1).eml	Get hash	malicious	Unknown	Browse	104.22.54.104
	PO%20K22012FA[1].docx	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://email.email.pandadoc.net/c/eJxUkE9r4zwQxj-NdUuQR5ItHXQobfwG3rLQsmHbXspIGjeqE8m1FYfm0y-B7f65DcP8ht_zBOsa4XrNQvanI6XyGoPN-f7_7ilGN8iYdk8Pn-dxt_vOyNYtmMZwDpztLRpXK45GaGy9C943vK2NJgTDG-WQRQscZM1B1AJaztfS904pGYLuOTQtVZLTEeNhPWIKGLJfJyoszq9lQk_oDmTLdCJ2sPtSxrkSNxV0FXQ4jn8Qn48VdF_6FXQLVKIreaBUiTvSzgiJNQeJqLDhSoJpBAanJYFWrZO1kb6uRMdSLrGPHkvM6VqDaxuBBtpVCyBWEkW9wkbTCsko1-galQ4sT2-Y4uU39N85y5jEfDMn83C50P6beDlv2WTDe040V5K702Ggj9NhvKqziZY4_2J_iM3H6W67XV7Uop9j2dyq0D-yYr_S_TWuCk5v9M9mvl4sFtg5T8M8oqfrU_W4od1nvwdHIdy798HfDs_6ZwAAAP__1K2kLg	Get hash	malicious	Unknown	Browse	104.18.86.42
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	PO 635614 635613_CQDM.html	Get hash	malicious	HTMLPhisher	Browse	104.21.68.211
	https://railrent-railrent.powerappsportals.com/	Get hash	malicious	Unknown	Browse	172.67.140.116
	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
RAYA-ASEG	atH4SE3Oi6.elf	Get hash	malicious	Mirai	Browse	62.68.231.170
	o2YUBeMZW6.elf	Get hash	malicious	Mirai	Browse	62.68.231.163
	gppc.elf	Get hash	malicious	Mirai	Browse	41.68.176.234
	jade.x86.elf	Get hash	malicious	Mirai	Browse	41.69.118.201
	nsharm.elf	Get hash	malicious	Mirai	Browse	197.132.199.75
	garm5.elf	Get hash	malicious	Mirai	Browse	41.70.6.181
	nrsh4.elf	Get hash	malicious	Mirai	Browse	41.69.166.155
	nsharm5.elf	Get hash	malicious	Mirai	Browse	41.69.118.209
	gmips.elf	Get hash	malicious	Mirai	Browse	197.132.199.64
	nsharm7.elf	Get hash	malicious	Mirai	Browse	197.132.217.113

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8251
Entropy (8bit):	5.806311590551068
Encrypted:	false
SSDEEP:	192:fsNA9kt7UseiRUtKjEko46qRAq1k8SPxVLZ7VTiQ:fsNAe7J2Afo46q3QxVNZTiQ
MD5:	30E10C8B2CDDADB167C827E5C04E3A4C
SHA1:	EBF31B0C2DA17C993224F05B173F464093B3B272
SHA-256:	F1C0A813FE209DF4634A3F6951FE8DE27CB9C1E1DB9E42582CC077B1D7B7F2D8
SHA-512:	8E0ABC7EE457AD7655EF4EE259DB571EE450E5657DD0710A40EFDFFFBACC822C4D08BFAE4CF1A3BB711FC64C9939BCEB77ED0118F8CCAB889100B5042A3D7066
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Ve

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	17524
Entropy (8bit):	4.340063035506032
Encrypted:	false
SSDEEP:	192:wiuFhk5un5EpDdblzKaz+OJGbiIBJofNbr5/dn82/jqmo3qAi:rq25unWZd9dvJGiIBJoh387oAi
MD5:	03710426AB25AD1280E197F61249F9DE
SHA1:	F5E7A6FD42503AE4758BC36C8DD78D98EFB35047
SHA-256:	21E63F7C77896ED2B5F115957F2448E0A9E2DD738D7D487E471217421F6A93E1
SHA-512:	213CB55B8573335D1384AE704FF4267F224376056F71548660F9B2FDAA1203D8ABDDB787900AAF5D1E0AC6E5BE261F713BDBEFB67643D08E8D3672512A1AF588
Malicious:	false
Preview:	(function()..{.. var XHTML = "http://www.w3.org/1999/xhtml";.. .. // Time slicing constants.. var LIMIT = 10; // Maximum number of nodes to process before checking time.. var DURATION = 200; // Maximum amount of time (ms) to process before unblocking UI.. var DELAY = 15; // Amount of time (ms) to unblock UI.... // Tree building state.. var iterator;.. var nextNode;.. var root;.. var rootFirstChild;.. var time;.. .. // Template References.. var attrTemplate, attrName, attrValue;.. var elmStartTemplate, elmStartName;.. var elmEndTemplate, elmEndName;.. var cdataTemplate, cdataValue;.. var commentTemplate, commentValue;.. var style; .. .. // Only invoke this script if it was injected by our parser. Test for a condition that is.. // impossible for a markup to create - two direct children of the document... var secondRootElement = document.documentElement.nextElementSibling;.. if (secondRootElement == null

File type:	ASCII text, with very long lines (7659)
Entropy (8bit):	5.522441795360108
TrID:
File name:	{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml
File size:	14'624 bytes
MD5:	2d3c508321b32b43ee4192d54bc0ed15
SHA1:	e60a6dc0e6374c5adffce59e1b34635769e39767
SHA256:	96003b2bc14e105d7649310c9f5f0cb1b71c809a17b07a6456be4e4841cba187
SHA512:	20849045a89755f5af8db4509fded733e1316de204824aab92405f70b40cb968bce77feb56c83836041b5e16b0ce9ed1d727fa1b4635d14025fadd42a02e203a
SSDEEP:	384:aFtKQeiPufhsvLOci37nOV7HZ1bAKT9mfCKq:GDGGvLBiLnM7HZ1bAKT9mfCKq
TLSH:	E56295FD600D0EE2A1B38DADE9C0FD4C14299D6F6ED5A578D4C6973A28EC2646D31C32
File Content Preview:	<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2" xmlns:cac="urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2" xmlns:cbc="urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2" xmlns:ccts="urn:u

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:40:10.587220907 CEST	51957	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:10.587367058 CEST	52008	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:10.595273972 CEST	53	51957	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:10.595663071 CEST	53	52008	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:13.252799988 CEST	54005	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:13.253341913 CEST	55615	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:13.253981113 CEST	50369	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:13.254496098 CEST	62238	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:13.262558937 CEST	53	54005	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:13.262732029 CEST	53	55615	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:13.263665915 CEST	53	50369	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:13.263840914 CEST	53	62238	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:13.324357986 CEST	61191	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:13.324532032 CEST	56882	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:13.332170963 CEST	53	61191	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:13.332334042 CEST	53	56882	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:15.694272995 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:15.994615078 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.284843922 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.284893036 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.284904957 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.284917116 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.287520885 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.287945986 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.288469076 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.289174080 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.304167986 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.385860920 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.397979021 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.413661957 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.413696051 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.413727045 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.413755894 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.413783073 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.414205074 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.414318085 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.415589094 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.418747902 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.430717945 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.431662083 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.432019949 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.511653900 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.512571096 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.523830891 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.524657965 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.527116060 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:16.540055037 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:16.571238995 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:26.361725092 CEST	53	63074	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:29.217189074 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:29.217514038 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:29.343087912 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:29.344381094 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:29.345323086 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:29.345733881 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:30.863475084 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:30.863929987 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:30.865650892 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:30.989298105 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:30.990211964 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:30.990405083 CEST	443	51174	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:30.990586042 CEST	51174	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.181848049 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.458821058 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.458841085 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.458865881 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.458880901 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.460035086 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.461277962 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.461462021 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.461802959 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.478365898 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.584208012 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.584225893 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.584238052 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.584249973 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.584745884 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.584832907 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.584872961 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.585666895 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.601989985 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.602483988 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.602662086 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:31.707581997 CEST	443	54184	162.159.61.3	192.168.2.4
Oct 24, 2024 13:40:31.738248110 CEST	54184	443	192.168.2.4	162.159.61.3
Oct 24, 2024 13:40:37.395025969 CEST	53	61278	162.159.36.2	192.168.2.4
Oct 24, 2024 13:40:38.022516966 CEST	59172	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:38.030890942 CEST	53	59172	1.1.1.1	192.168.2.4
Oct 24, 2024 13:40:46.553358078 CEST	60809	53	192.168.2.4	1.1.1.1
Oct 24, 2024 13:40:46.560637951 CEST	53	60809	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:11 UTC	594	OUT	GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-10-24 11:40:11 UTC	566	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 135771 X-GUploader-UploadID: AHmUCY3iS4vqfT0BV1RTVjDjpiyHfxW7Us1SyNBLWrKWkqNVcnqHdn_lmk459lCShIsFyG-Di2M X-Goog-Hash: crc32c=5YFIVw== Server: UploadServer Date: Wed, 23 Oct 2024 20:33:29 GMT Expires: Thu, 23 Oct 2025 20:33:29 GMT Cache-Control: public, max-age=31536000 Age: 54402 Last-Modified: Tue, 22 Oct 2024 20:33:19 GMT ETag: a1239f8c_b608f476_b1045d58_830b10c8_3ed9cb2d Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-24 11:40:11 UTC	812	IN	Data Raw: 43 72 32 34 03 00 00 00 e2 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: 5a f7 ba 97 f1 3f fe f5 43 56 d7 f2 f3 3c 8c e7 4b ff e3 ef 3f c6 cf aa aa f3 6b fd 97 a1 fa fc cb e9 ac aa 1f 7f fd 71 3d bf f7 95 fc 59 5e fa b1 ea c7 1f 7f ff d7 8f 21 7f a8 4b 2e f5 e7 ab 47 d8 14 a6 6d 08 6e 1b a9 59 d7 a5 59 ab f2 b1 7f e2 d6 f5 9c 75 d3 57 66 8e a7 d2 54 4f 22 d9 3f a1 dd 8b 8d ce f7 b3 f0 55 2f 52 64 ec 9b cb 59 7f be 8e 1a 6a ee bf ff de a9 ab 48 a3 f3 51 8d bf ec 7b b7 96 fe fb f9 78 de 4f 51 f3 7e 2b 7d bb ff fe 4c d9 39 5f 12 3a 97 2c 45 97 ef ef 0b 13 71 f1 30 26 ce df 1f 49 3b 62 c4 e0 48 bb b1 11 3e ea f2 8e 02 39 b3 7d 09 42 84 80 d8 92 2e 7c e4 41 b8 a9 7c 61 8b 47 e8 1c 82 eb b9 f4 a1 91 6f f7 4f 7b e5 5c 0b 13 d5 85 cf e6 83 09 bb 83 09 54 69 a1 5a 98 fa ba 1b e6 c2 dc 9c 0f db f0 51 98 ce ef f3 fc 7e b6 70 ca 3d d5 33 Data Ascii: Z?CV<K?kq=Y^!K.GmnYYuWfTO"?U/RdYjHQ{xOQ~+}L9_:,Eq0&I;bH>9}B.\|A\|aGoO{\TiZQ~p=3
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: d1 78 a4 43 22 82 21 af 78 ed e5 3b 17 31 63 f2 12 16 6f 58 13 8a ac 6b 1f 08 96 b6 8e 59 b4 c8 5e 7b ff 95 e3 e3 6c 66 93 48 75 bd 57 d8 44 86 61 51 06 73 e9 21 bf d8 c1 38 0f 10 8e 94 67 c9 ae de 62 0f 6a 0d 08 71 f9 00 01 36 e4 d7 e2 f8 fd 7e ad e7 de 90 39 1c a3 5e 29 61 4c ee 81 a2 7b 44 c7 8e 2a b9 2d 76 d2 4b 76 32 2c a9 88 31 c0 6e d9 6b 8d a6 5a 8f 18 9d a2 60 79 ed cb ff 87 06 97 0d 1e 32 a3 56 32 10 9f b9 a9 d2 c4 8b 46 12 b8 5e dc 88 5e 98 61 86 3b 1d 0a 96 7b 16 9e c8 68 27 de 4a 05 5d 6c ca cd 72 ee c9 b5 fc 47 ed 73 37 d8 17 1e 9a eb 56 7a a1 49 00 ec 50 20 44 6e 0c 07 32 6b 0d f0 31 8f 82 17 33 36 ef 77 16 e0 38 a3 78 57 75 ef f7 45 fe d6 da dc 1b 3c a4 60 9b 5a c3 ab 54 de 7c 84 75 4b 00 a2 d8 aa 43 dd 63 24 a2 05 b3 ee 75 a8 ae 07 7e 6c Data Ascii: xC"!x;1coXkY^{lfHuWDaQs!8gbjq6~9^)aL{D*-vKv2,1nkZ`y2V2F^^a;{h'J]lrGs7VzIP Dn2k136w8xWuE<`ZT\|uKCc$u~l
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: f6 8f 48 d5 27 4c 9d 21 67 cf 13 d5 fd 28 ef 16 fb ab 5b b1 72 6f 45 f7 8a 4f da b3 e7 94 c8 03 e1 ba 8f ea 98 8d ad 70 5b 75 d3 db 31 31 1e 65 20 3f 73 03 a7 8c c0 5d 02 07 98 cf a2 15 9d ee 3b 96 d8 5b 6e bd d6 e7 1c e9 c6 a6 3c ec 04 df 03 02 d8 07 6a 07 4f 70 bb e6 0d 44 84 8e 31 f6 ed 1b e9 6a c5 3d 68 26 0c d9 55 07 3f b0 8e cd 25 f6 a5 bf 92 bd 1a 68 de 40 51 36 ee b9 e4 ce 81 50 6c c6 16 de 88 4e bc 66 c4 fd 22 da f5 e3 d6 a9 11 77 1e cc c8 00 69 9f 41 62 95 20 df bd 2c b1 bf 6b be 5b ba 52 77 ca c0 9b 04 7c b7 44 3b 68 e6 61 cf 76 78 4c 3a 74 24 9e d6 21 da de bf f7 1b 89 3f 5c 33 4b 7c e7 5f 9b f5 e1 23 f2 f7 8f ff 83 bf 91 02 97 ae 8d 7f 06 9c bd 4c 5d 83 7b e3 6b 6c 38 41 a1 10 8f 67 d6 26 30 9e 29 6c 6d ce c7 a7 68 e7 66 09 91 a0 a4 e8 82 d5 Data Ascii: H'L!g([roEOp[u11e ?s];[n<jOpD1j=h&U?%h@Q6PlNf"wiAb ,k[Rw\|D;havxL:t$!?\3K\|_#L]{kl8Ag&0)lmhf
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: bd 21 33 d5 4d 7a 30 92 e6 a0 73 01 69 4f 6c e7 64 e7 06 c4 1f cd ca 43 29 99 d5 a9 e4 d2 27 1d 24 47 c6 70 b9 db 83 b8 ff e3 7b 43 fd 1c bd 60 8e 2a b8 9e 3b 74 be 19 0c 65 10 ff b7 71 9b 03 75 c2 bc 05 66 42 30 d4 bd 44 4c 1f e0 98 f8 e0 5e 51 d6 09 16 ee 62 8a 41 64 da 7a 3d 5a 33 a2 f1 1d 19 2a c9 80 f3 07 8d 29 4d f6 90 9d 6a f4 d8 56 61 85 9f 3a ce 4e 59 a7 6e a9 e5 ea 31 ff db f8 7b 43 fb aa 2b b5 c2 4c a8 10 57 3e 9d 12 73 e0 51 5f ef a3 40 64 48 ab 09 6b 6a 14 35 a1 2f 83 cb 26 d1 e4 cb 9d b8 cb 6e d2 3d 1d 90 fa 7e 9d 1e 6b cc d2 f8 7b 2e c6 37 f3 df 63 e9 ba ef fe 7d de f2 f4 a7 e7 2c 7f fb ee 20 7d 36 a6 a6 6a 7f 3b 2b 59 eb 18 b5 6f b9 8e 0b c1 c7 7b c1 1d 95 99 f6 ad e8 d4 b5 e8 6c ed 3f a7 af c2 af 3f 73 bf 3d ff ef 77 2d 1d cf 3d 1a be 73 Data Ascii: !3Mz0siOldC)'$Gp{C`;tequfB0DL^QbAdz=Z3)MjVa:NYn1{C+LW>sQ_@dHkj5/&n=~k{.7c}, }6j;+Yo{l??s=w-=s
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 73 76 2f 6d 65 73 73 61 67 65 73 2e 6a 73 6f 6e 55 54 05 00 01 50 03 fc 66 0a 00 20 00 00 00 00 00 01 00 18 00 00 08 b1 f4 0b 14 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 52 3d 6f dc 30 0c dd fb 2b 08 cf 46 70 fd 1c b2 05 08 d0 a1 45 53 a4 59 02 64 61 4e b4 23 48 a6 04 8a 72 72 08 f2 df 4b 9d 7d 08 ce e8 d0 45 03 45 be f7 f8 1e 5f bb bd 10 2a 31 3d 77 97 af dd 44 a5 e0 48 dd 65 f7 e7 c7 d5 ef 2b f8 75 7f 77 d7 bd f5 1d bd e4 88 8c ea 13 a7 61 88 9e c9 f9 82 8f 91 dc f9 d4 75 85 87 ba db d1 17 81 b5 ef 02 6e 26 70 15 66 1f 23 20 cf cb 37 3b 84 ef 29 8d 91 e0 3a 85 3a 11 2b 54 45 06 cf 4a c2 a4 35 e7 90 72 36 84 b1 3f 42 0e df 72 66 b4 ff a2 0b 44 8c 6c Data Ascii: !-_locales/sv/messages.jsonUTPf R=o0+FpESYdaN#HrrK}EE_*1=wDHe+uwaun&pf# 7;)::+TEJ5r6?BrfDl
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: 4c 28 b9 28 68 15 81 3d 3a d0 47 7f 87 f5 aa c5 a0 2c 48 96 b4 9f 93 24 bf 74 ca 3b a4 a0 f9 6a e6 a1 cc 40 81 91 19 30 5d a1 39 7e 39 01 48 39 a0 4f 22 d8 2a e1 e0 08 be e7 cf 6d 6c b8 0b be c9 03 07 28 7d 6a dc e2 3f 42 98 78 2d d6 a1 b1 19 12 f8 68 b4 04 85 9d 97 35 1c 1b 0c 16 5f 55 b4 c5 fe ea 43 28 83 0e 40 08 bf 0d 79 16 7a c3 cf 26 b0 46 00 0e 4b 9e 50 f8 ed 3b 0e 8c 5d 3c 0b 64 ca 72 2e 90 41 1f b1 d4 e7 ed 22 33 dd 46 8d 4d 1a 99 c7 e4 99 3c 21 86 b1 e4 d2 54 27 cf df ef 91 4e 01 0d 30 81 96 55 96 37 4e 3d d0 01 5c b2 ca 55 80 04 ec aa e2 2a 73 90 6b ac 51 58 5b 6a 0a 34 8b b4 b7 4f b0 0d b9 c6 2c a1 85 38 3d c9 71 2f 07 ef 6d df 60 8f b9 82 8c 87 80 43 e8 d4 88 fe 62 9f b4 94 b9 d7 66 ac 7c 82 88 1d 51 d1 f9 61 37 fe 39 d8 0a 53 59 ae f5 66 32 Data Ascii: L((h=:G,H$t;j@0]9~9H9O"ml(}j?Bx-h5_UC(@yz&FKP;]<dr.A"3FM<!T'N0U7N=\UskQX[j4O,8=q/m`Cbf\|Qa79SYf2
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: 5b 7b 7a c3 30 ec 7c ed 63 70 f3 2d c2 2b 61 1b 8f d7 00 1b e0 cd 2b ef 78 f7 a3 67 c0 39 32 a9 1f 80 6c 66 17 97 d6 80 80 69 32 ab bf c3 f0 d2 d1 02 c6 d1 d1 ca 7f 28 f3 d3 05 cf d7 e6 67 96 67 73 39 3b dd 9e 5f c5 2e 08 52 5b 60 e6 23 e4 24 80 17 de cf 8c 32 61 22 26 18 40 81 51 37 1a 3d e4 69 36 45 18 6c 38 96 b1 f8 bc 04 25 63 8c 69 6f 0b 8e 93 22 11 da 2b e2 2e dd 3c 66 df 7d 3c c4 05 36 71 e2 c9 b8 a6 7e 66 b3 9b 73 21 3a a7 95 67 38 d4 83 89 c3 d7 91 64 de c5 5b 01 f5 ff a5 13 58 78 d8 a8 54 25 22 24 d8 16 40 cd 81 70 5e c5 3b d8 dd 55 72 b8 9e d6 48 15 06 41 57 68 5b e8 27 30 b1 82 0f e8 09 d8 f8 24 0d ae 73 05 91 20 6f 32 84 0d f0 82 95 ca 25 80 50 f5 46 fa 49 1e 46 5e 38 4e d2 28 ef db ce 9f 18 54 a7 c3 53 4b c7 26 a2 ba e4 21 00 dd 3a a8 e3 88 Data Ascii: [{z0\|cp-+a+xg92lfi2(ggs9;_.R[`#$2a"&@Q7=i6El8%cio"+.<f}<6q~fs!:g8d[XxT%"$@p^;UrHAWh['0$s o2%PFIF^8N(TSK&!:
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: a8 15 a1 54 1e 5a 8d 72 3d e2 47 40 31 01 b6 e2 e3 20 ba 53 87 b9 64 39 96 a9 1f 50 8d c3 df 89 4f 3c 44 83 14 ce e2 33 f3 a3 46 d1 e2 45 58 a7 2c f7 48 0a 04 81 50 14 d0 11 86 4d 66 e7 ff be d5 aa ce 18 47 ec d9 2c f8 22 13 e5 35 27 b7 b0 97 2a bf 2c 0b d7 07 48 d7 30 c9 86 93 1f b0 17 3e b8 b1 bc a7 01 17 51 9c 66 55 50 9a b0 bb 80 25 f5 6f 33 e1 cf d4 9d 1c 93 ba 54 72 a7 e2 f6 75 97 90 fe 6f d2 46 10 67 11 75 4c 7e d0 94 af e3 4d 5d b4 38 17 ad 83 c4 09 26 df 24 fb 10 6d 5d e5 56 f8 11 0d 2d bb f3 2c 35 9d 43 aa d3 dc cc 21 ae 95 db 49 63 90 e8 bb b5 a2 31 68 28 4f c1 46 84 c4 ae 85 65 77 6e 1d 5c 72 28 c5 cb d9 9f 0c 82 36 6a 85 c3 0c cb 86 67 50 98 fd a8 5e 6f c5 03 8b 54 f3 c2 30 f0 94 72 6d 96 45 e2 75 68 b3 3c 02 83 6b 79 2f ae 25 09 87 d3 41 99 Data Ascii: TZr=G@1 Sd9PO<D3FEX,HPMfG,"5'*,H0>QfUP%o3TruoFguL~M]8&$m]V-,5C!Ic1h(OFewn\r(6jgP^oT0rmEuh<ky/%A
2024-10-24 11:40:11 UTC	1378	IN	Data Raw: 02 18 e4 0f c3 f4 76 5f 5c be dd ce 6f 88 69 ac e4 50 fa ee 07 ab c8 a0 8b 52 e9 bb 55 6b fa 9f c6 22 3c 29 b7 da 31 d5 9e ae 5a b0 94 e9 7c 5c e7 66 a1 94 56 e8 81 c0 57 d2 a5 5b 41 6a 0e 92 60 dd 9b c4 c3 77 12 c5 dc 29 96 c5 76 0c 56 10 bf 85 d3 7f df 78 05 8d e2 78 fc 2e d0 e2 68 c5 5e ba e2 78 a2 f7 ae 74 a2 c9 5d 23 c5 a1 dd 77 87 05 87 09 52 cb 31 68 27 3d 4b 9d 65 b2 de 77 fd b1 ff 96 4d 3f 5e 60 b9 1e 38 a4 9e c8 b0 ea d5 db 24 51 55 05 52 b6 f2 27 f0 e4 fd 6c 75 91 a7 7f 43 1e 77 ee c0 54 0b 56 cd 31 4f 5e ee ea 9b de 9a b3 38 11 b7 da d9 f9 e5 0f 50 4b 07 08 fd 45 55 f9 17 02 00 00 f3 0a 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 6d 6e 2f 6d 65 73 73 61 67 65 73 2e Data Ascii: v_\oiPRUk"<)1Z\|\fVW[Aj`w)vVxx.h^xt]#wR1h'=KewM?^`8$QUR'luCwTV1O^8PKEUPK!-_locales/mn/messages.

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:13 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-10-24 11:40:13 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-10-24 11:40:14 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 24 Oct 2024 11:40:13 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8d79b0db4ba6e5c2-DFW alt-svc: h3=":443"; ma=86400
2024-10-24 11:40:14 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 e4 00 04 8e fa 72 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomr^)

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:17 UTC	448	OUT	POST /chromewebstore/v1.1/items/verify HTTP/1.1 Host: www.googleapis.com Connection: keep-alive Content-Length: 119 Content-Type: application/json Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-10-24 11:40:17 UTC	119	OUT	Data Raw: 7b 22 68 61 73 68 22 3a 22 39 69 2b 78 57 56 69 6d 31 34 76 52 70 54 46 73 34 4e 48 77 63 61 34 33 71 41 61 43 6f 67 7a 41 4d 65 47 62 48 65 2b 30 67 53 4d 3d 22 2c 22 69 64 73 22 3a 5b 22 67 68 62 6d 6e 6e 6a 6f 6f 65 6b 70 6d 6f 65 63 6e 6e 6e 69 6c 6e 6e 62 64 6c 6f 6c 68 6b 68 69 22 5d 2c 22 70 72 6f 74 6f 63 6f 6c 5f 76 65 72 73 69 6f 6e 22 3a 31 7d Data Ascii: {"hash":"9i+xWVim14vRpTFs4NHwca43qAaCogzAMeGbHe+0gSM=","ids":["ghbmnnjooekpmoecnnnilnnbdlolhkhi"],"protocol_version":1}
2024-10-24 11:40:17 UTC	341	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Vary: Origin Vary: X-Origin Vary: Referer Date: Thu, 24 Oct 2024 11:40:17 GMT Server: ESF Content-Length: 483 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-24 11:40:17 UTC	483	IN	Data Raw: 7b 0a 20 20 22 70 72 6f 74 6f 63 6f 6c 5f 76 65 72 73 69 6f 6e 22 3a 20 31 2c 0a 20 20 22 73 69 67 6e 61 74 75 72 65 22 3a 20 22 61 6d 64 62 74 71 39 70 30 59 4c 74 68 76 2f 58 39 4a 63 45 6d 43 51 6f 74 6b 66 38 56 4c 37 75 54 69 66 66 75 65 54 6b 4a 68 78 47 57 35 54 66 4c 33 43 61 34 4c 51 54 6e 4d 70 54 44 58 74 30 4d 4f 4b 50 50 57 48 47 42 76 2b 61 58 6a 4b 4c 56 56 6b 61 38 35 62 48 61 55 52 67 63 57 51 30 4a 30 35 4f 50 42 43 6e 4d 6f 76 53 63 36 73 58 6d 49 35 54 61 45 55 64 63 39 6a 56 69 36 2f 34 6b 44 55 55 41 6e 73 77 4c 33 58 32 51 31 42 53 68 48 31 6d 75 57 2f 50 44 30 56 46 75 63 54 77 61 45 39 52 4e 61 33 39 44 55 34 6b 50 76 48 79 6f 54 6d 62 4a 4e 52 6e 4b 67 75 48 47 74 51 53 39 34 32 53 4e 72 45 45 65 64 72 72 79 69 6c 6e 32 61 36 79 Data Ascii: { "protocol_version": 1, "signature": "amdbtq9p0YLthv/X9JcEmCQotkf8VL7uTiffueTkJhxGW5TfL3Ca4LQTnMpTDXt0MOKPPWHGBv+aXjKLVVka85bHaURgcWQ0J05OPBCnMovSc6sXmI5TaEUdc9jVi6/4kDUUAnswL3X2Q1BShH1muW/PD0VFucTwaE9RNa39DU4kPvHyoTmbJNRnKguHGtQS942SNrEEedrryiln2a6y

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:17 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-10-24 11:40:17 UTC	532	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 11:40:17 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Tue, 22 Oct 2024 16:33:26 GMT ETag: 0x8DCF2B740D62BCC x-ms-request-id: cb7e3041-901e-0062-7909-262fdf000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241024T114017Z-16849878b78plcdqu15wsb886400000007gg00000000cr73 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-10-24 11:40:17 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:40:29 UTC	618	OUT	GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1730374811&P2=404&P3=2&P4=eyEJMar66EjaXc1c2IncUP9ze73ukP9o%2fV0XCTSV%2foCCD6NGtFh0LNITjmaYIDF19tiwKN%2bYOzX5ESmgnNrXsA%3d%3d HTTP/1.1 Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com Connection: keep-alive MS-CV: ALZO8dbXCPrwsCnxqsS2Lg Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-10-24 11:40:30 UTC	1246	IN	HTTP/1.1 200 OK Content-Type: application/x-chrome-extension Last-Modified: Wed, 24 Jan 2024 00:25:37 GMT Accept-Ranges: bytes ETag: "Gv3jDkaZdFLRHkoq2781zOehQE8=" Server: Microsoft-IIS/10.0 X-AspNetMvc-Version: 5.3 MS-CorrelationId: e13f0f62-d9cc-4e0d-b86b-192cc00e5ac6 MS-RequestId: a501378a-aec6-4c3f-a763-219ecb864996 MS-CV: hYSYxd/OqRM4hEciWeuq/9.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Powered-By: ARR/3.0 X-Powered-By: ASP.NET Content-Length: 11185 Cache-Control: public, max-age=86395 Date: Thu, 24 Oct 2024 11:40:30 GMT Alt-Svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600,h3-Q050=":443"; ma=93600,quic=":443"; ma=93600; v="46,43" Connection: close Akamai-Request-BC: [a=23.193.38.54,b=910537206,c=g,n=US_TX_IRVING,o=20940],[c=p,n=US_TX_IRVING,o=20940] MSREGION: X-CCC: X-CID: 3 Akamai-GRN: 0.3626c117.1729770030.3645b1f6 Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: Server,range,hdntl,hdnts,Akamai-Mon-Iucid-Ing,Akamai-Mon-Iucid-Del,Akamai-Request-BC Access-Control-Allow-Headers: origin,range,hdntl,hdnts,CMCD-Request,CMCD-Object,CMCD-Status,CMCD-Session Access-Control-Allow-Methods: GET,POST,OPTIONS Access-Control-Allow-Origin: *
2024-10-24 11:40:30 UTC	11185	IN	Data Raw: 43 72 32 34 03 00 00 00 1d 05 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 bb 4e a9 d8 c8 e8 cb ac 89 0d 45 23 09 ef 07 9e ab ed 9a 39 65 ef 75 ea 71 bc a5 c4 56 59 59 ef 8c 08 40 04 2b ed 43 d0 dc 6b a7 4f 88 b9 62 4b d3 60 94 de 36 ee 47 92 ab 25 8a 1e cc 0d fa 33 5a 12 19 8e 65 20 5f fd 36 15 d6 13 1e 46 ae 8b 31 70 18 f1 a8 4b 1d 5a ff de 0e 83 8e 11 b2 2f 20 ed 33 88 cb fb 4f 54 94 9e 60 00 d3 bc 30 ab c0 d7 59 8b b0 96 46 54 fc f0 34 33 1c 74 68 d6 79 f9 0c 8c 7d 8a 91 98 ca 70 c6 4c 0f 1b c8 32 53 b9 26 69 cc 60 09 8d 6f ec f9 a6 66 8d 6f 48 81 0e 05 8a f1 97 4e b8 c3 94 3a b3 f7 69 6a 54 89 33 da 9e 46 7b d1 30 bb 2c cc 66 3f 27 66 e3 43 51 74 3b 62 5f 22 50 63 08 e5 20 Data Ascii: Cr240"0*H0NE#9euqVYY@+CkObK`6G%3Ze _6F1pKZ/ 3OT`0YFT43thy}pL2S&i`ofoHN:ijT3F{0,f?'fCQt;b_"Pc

Target ID:	0
Start time:	07:40:01
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml"
Imagebase:	0x9a0000
File size:	225'176 bytes
MD5 hash:	A2E6E2A1C125973A4967540FD08C9AF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	1
Start time:	07:40:02
Start date:	24/10/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml
Imagebase:	0x7ff72c300000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	3
Start time:	07:40:03
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c
Imagebase:	0x7ff7129d0000
File size:	540'712 bytes
MD5 hash:	89CF8972D683795DAB6901BC9456675D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	07:40:04
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1044c
Imagebase:	0x7ff7699e0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	07:40:05
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2828 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	07:40:09
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	07:40:12
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=2620,i,4059753573926837572,7725692899582869137,262144 /prefetch:8
Imagebase:	0x7ff776a70000
File size:	1'255'976 bytes
MD5 hash:	76C58E5BABFE4ACF0308AA646FC0F416
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	17
Start time:	07:40:25
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	07:40:33
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	07:40:34
Start date:	24/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2176,i,13810906325023881848,113091338376837868,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report {89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Software Vulnerabilities

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\017b284d-17a3-4626-99a4-38d66d64d7f8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\05c08225-f68e-46f5-a0bb-e2c8363f3998.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0bfa69cb-79ae-400c-ac60-c550f1d28c4f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2d88f16d-3ffe-4531-8299-5ba45816fedc.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2f324793-a4f4-4649-8a90-9091bf8e849f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4007b4cd-0a88-440e-83d0-8353dab4a06d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\57598b1d-ac24-4984-a574-7ec0d85fa5d3.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\862953a6-02a7-46e9-9f22-91859d1c17cd.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\1ac46940-b78c-4400-9503-f7cb3ba58f2e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-671A3214-157C.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-671A3215-1CA8.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-671A3229-205C.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-671A3231-1D00.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\35c28d2c-9d8b-4ee4-89b8-577652431996.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\45dea9a7-c02e-4625-a1d2-af3b73d2bcf9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4e07ada5-875f-48fe-918d-843b58e34c65.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\833d6eb3-21d3-406f-86b1-5113e6d4dd76.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000001.dbtmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\CURRENT (copy)

Windows Analysis Report
{89eeeac4-e4d3-40a8-9048-e7cecfc98851}.xml

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre