Edit tour

Windows Analysis Report
sysmonconfig.xml

Overview

General Information

Sample name:	sysmonconfig.xml
Analysis ID:	1582287
MD5:	b04faa031563d47ddd5d4c44c6ba1d43
SHA1:	9fbe4b83957218c1d2a7f62672c276f7ba8b563d
SHA256:	afa3602b7350c7b87c2754379c9b30c79094e898291442e9428ebb47ef02db56
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to hide user accounts

Deletes shadow drive data (may be related to ransomware)

Maps a DLL or memory area into another process

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

May use bcdedit to modify the Windows boot settings

Potential browser exploit detected (process start blacklist hit)

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Classification

Process Tree

System is w10x64

MSOXMLED.EXE (PID: 7636 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Desktop\sysmonconfig.xml" MD5: A2E6E2A1C125973A4967540FD08C9AF0)

iexplore.exe (PID: 7672 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\sysmonconfig.xml MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 7724 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7672 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ie_to_edge_stub.exe (PID: 7796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4 MD5: 89CF8972D683795DAB6901BC9456675D)

msedge.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1964,i,8747618032302115982,16467247634679276211,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

ssvagent.exe (PID: 7836 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

msedge.exe (PID: 8164 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5228 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2736 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5932 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 9104 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 9124 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 8808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7908 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=940,i,6447755210393814094,4087030614401303826,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8936 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8048 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2076,i,13288677910215277293,11958741982331377624,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7672 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 7724, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 7836, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 7672, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Source: global traffic

TCP traffic: 192.168.2.4:53854 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: msapplication.xml1.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x09eadfb1,0x01db5a91</date><accdate>0x09ed3d2a,0x01db5a91</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x09f6b0fb,0x01db5a91</date><accdate>0x09f90ec9,0x01db5a91</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x09fdcb52,0x01db5a91</date><accdate>0x09fdcb52,0x01db5a91</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.1.dr	String found in binary or memory: http://www.youtube.com/
Source: offscreendocument_main.js.8.dr, service_worker_bin_prod.js.8.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: Network Persistent State0.8.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: manifest.json0.8.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json0.8.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: cb14acf6-0a31-45d5-9de2-c78d31e426ed.tmp.9.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.8.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: cb14acf6-0a31-45d5-9de2-c78d31e426ed.tmp.9.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json.8.dr	String found in binary or memory: https://docs.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json.8.dr	String found in binary or memory: https://drive.google.com/
Source: 000003.log7.8.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: sysmonconfig.xml	String found in binary or memory: https://github.com/olafhartong/sysmon-modular/wiki
Source: content_new.js.8.dr, content.js.8.dr	String found in binary or memory: https://www.google.com/chrome
Source: cb14acf6-0a31-45d5-9de2-c78d31e426ed.tmp.9.dr	String found in binary or memory: https://www.googleapis.com
Source: Top Sites.8.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.8.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: sysmonconfig.xml

Binary or memory string: <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin;delete</CommandLine>

Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="contains">\</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1546.011,technique_name=Application Shimming" condition="is">sdbinst.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1197,technique_name=BITS Jobs" condition="is">bitsadmin.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1562.006,technique_name=Indicator Blocking" condition="is">fltMC.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">fltMC.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">InstallUtil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1546.008,technique_name=Windows Error Reporting" condition="contains">werfault.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="is">odbcconf.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1564.001,technique_name=Hidden Files and Directories" condition="is">attrib.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">dnscmd.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1489,technique_name=Service Stop" condition="is">taskkill.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1074,technique_name=Data Staged" condition="is">xcopy.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1074,technique_name=Data Staged" condition="is">robocopy.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Remote File Copy" condition="is">GfxDownloadWrapper.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Remote File Copy" condition="is">expand.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1040,technique_name=Network Sniffing" condition="is">PktMon.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">esentutl.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">TTTracer.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">sqldumper.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">ntdsutil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="image">rpcping.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">rpcping.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">expand</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">IEExec.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">Print.Exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">curl.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">print.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">regedit.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">esentutl.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">extrac32.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1053.005,technique_name=Scheduled Task/Job" condition="contains any">schtasks.exe;sctasks.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique=T1053.002,technique_name=At" condition="contains any">at.exe;At.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="is">taskeng.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="is">takeown.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="contains any">icacls.exe;cacls.exe;xcacls.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1134,technique_name=Access Token Manipulation" condition="is">runas.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">WSReset.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">xwizard.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">computerdefaults.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">dism.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">fodhelper.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">computerdefaults.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">dism.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">fodhelper.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="contains any">vssadmin.exe;wbadmin.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">bcdedit.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">mofcomp.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">ScrCons</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">wmiprvse.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1087,technique_name=Account Discovery" condition="is">klist.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1087,technique_name=Account Discovery" condition="is">cmdkey.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1078.002,technique_name=Domain Accounts" condition="is">djoin.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="contains any">systeminfo.exe;sysinfo.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">quser.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="contains any">nltest.exe;nltestk.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">ipconfig.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">nslookup.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">tracert.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">route.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="contains any">nbtstat.exe;nbtinfo.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">net.exe;net1.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">ping.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">dsquery.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">tasklist.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">query.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="contains any">tree.com;findstr.exe;where.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="is">netstat.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">nltestrk.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1482,technique_name=Domain Trust Discovery" condition="is">nltest.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="is any">reg.exe;regedit.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">wevtutil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="Event Log Access" condition="is">wevtutil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1070,technique_name=Indicator Removal" condition="is">fsutil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is any">reg.exe;regedit.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">cscript.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wscript.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">bash.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">winrs.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">desktopimgdownldr.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">cscript.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">installutil.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.005,technique_name=Mshta" condition="is">mshta.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">regsvr32.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.011,technique_name=rundll32.exe" condition="contains">rundll32.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">extexport.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msconfig.EXE</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msiexec.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">odbcconf.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">PresentationHost.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasdlui.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">ScriptRunner.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">verclsid.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Appvlp.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">csi.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">tttracer.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msdt.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasautou.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Register-cimprovider.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">replace.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">csc.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dfsvc.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">ilasm.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vbc.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">tracker.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">te.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">rcsi.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.003,technique_name=CMSTP" condition="is">CMSTP.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">MSBuild.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.009,technique_name=Regsvcs/Regasm" condition="contains any">regsvcs.exe;regasm.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="is">cmd.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell_ise.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">Sqlps.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">ATBroker.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PsList.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1007,technique_name=System Service Discovery" condition="is">PsService.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">PsExec.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">PsExec.c</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">PsGetSID.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="is">PsKill.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="is">PKill.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">ProcDump</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">PsLoggedOn.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">PsFile.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">ShellRunas</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PipeList.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="is">AccessChk.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="is">AccessEnum.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">LogonSessions.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1005,technique_name=Data from Local System" condition="is">PsLogList.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PsInfo.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1007,technique_name=System Service Discovery" condition="contains">LoadOrd</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1098,technique_name=Account Manipulation" condition="is">PsPasswd.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="is">ru.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="contains">Regsize</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">ProcDump</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">wmic.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">wbadmin.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">bcdedit.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">wsmprovhost.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">winrshost.exe</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="is">amsi.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">clr.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">clrjit.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscoreei.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscoree.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscoreeis.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscorlib.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1055,technique_name=Process Injection" condition="is">mscorlib.ni.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">scrrun.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">vbscript.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.005,technique_name=MSHTA with AMSI Bypass" condition="is">jscript.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.005,technique_name=MSHTA with AMSI Bypass" condition="is">jscript9.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1559.001,technique_name=Component Object Model" condition="is">combase.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1559.001,technique_name=Component Object Model" condition="is">coml2.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1559.001,technique_name=Component Object Model" condition="is">comsvcs.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">clr.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">VBE7INTL.DLL</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">VBE7.DLL</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">VBEUI.DLL</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">OUTLVBA.DLL</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1112,technique_name=Modify Registry" condition="is">regsvc.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1003.004,technique_name=LSASS Memory" condition="is">comsvcs.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1053,technique_name=Scheduled Task" condition="is">taskschd.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">scrobj.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">urlmon.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">scrobj.dll</OriginalFileName> vs sysmonconfig.xml
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="excludes all">mscoree.dll;mscoreei.dll;mscoreeis.dll;clr.dll;clrjit.dll</OriginalFileName> vs sysmonconfig.xml

Source: sysmonconfig.xml

Binary string: <Image name="technique_id=T1099,technique_name=Timestomp" condition="begin with">\Device\HarddiskVolumeShadowCopy</Image>

Source: sysmonconfig.xml

Binary or memory string: <TargetFilename name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="end with">.sln</TargetFilename>

Source: classification engine

Classification label: mal52.rans.evad.winXML@57/313@8/4

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF10359F73D767751A.TMP

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE "C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Desktop\sysmonconfig.xml"
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\sysmonconfig.xml
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7672 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1964,i,8747618032302115982,16467247634679276211,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2736 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5932 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=940,i,6447755210393814094,4087030614401303826,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2076,i,13288677910215277293,11958741982331377624,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\sysmonconfig.xml	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1964,i,8747618032302115982,16467247634679276211,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2736 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5932 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=940,i,6447755210393814094,4087030614401303826,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2076,i,13288677910215277293,11958741982331377624,262144 /prefetch:3

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: appvisvsubsystems32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: c2r32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName condition="is">bcdedit.exe</OriginalFileName>
Source: sysmonconfig.xml	Binary or memory string: <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">bcdedit.exe</OriginalFileName>

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: sysmonconfig.xml

String found in binary or memory: <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Specialaccounts\userlist</TargetObject>

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: sysmonconfig.xml	Binary or memory string: <SourceImage condition="end with">VBoxService.exe</SourceImage>
Source: sysmonconfig.xml	Binary or memory string: <SourceImage condition="is">C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe</SourceImage>
Source: sysmonconfig.xml	Binary or memory string: <SourceImage condition="is">C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe</SourceImage>
Source: sysmonconfig.xml	Binary or memory string: <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
Source: sysmonconfig.xml	Binary or memory string: <SourceImage condition="end with">vmtoolsd.exe</SourceImage>

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\sysmonconfig.xml			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=104a4			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Bootkit	1 Registry Run Keys / Startup Folder	111 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Hidden Users	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Bootkit	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
googlehosted.l.googleusercontent.com	142.250.184.225	true	false	high
clients2.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false		high
https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	Top Sites.8.dr	false	high
https://chrome.cloudflare-dns.com	Network Persistent State0.8.dr	false	high
http://www.nytimes.com/	msapplication.xml4.1.dr	false	high
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	offscreendocument_main.js.8.dr, service_worker_bin_prod.js.8.dr	false	high
https://drive-daily-2.corp.google.com/	manifest.json.8.dr	false	high
https://drive-autopush.corp.google.com/	manifest.json.8.dr	false	high
https://drive-daily-4.corp.google.com/	manifest.json.8.dr	false	high
https://www.office.com/Office	Top Sites.8.dr	false	high
http://www.amazon.com/	msapplication.xml.1.dr	false	high
https://github.com/olafhartong/sysmon-modular/wiki	sysmonconfig.xml	false	high
http://www.twitter.com/	msapplication.xml6.1.dr	false	high
https://drive-daily-1.corp.google.com/	manifest.json.8.dr	false	high
https://drive-daily-5.corp.google.com/	manifest.json.8.dr	false	high
https://docs.google.com/	manifest.json.8.dr	false	high
https://drive-staging.corp.google.com/	manifest.json.8.dr	false	high
https://www.google.com/chrome	content_new.js.8.dr, content.js.8.dr	false	high
https://drive-daily-6.corp.google.com/	manifest.json.8.dr	false	high
https://drive.google.com/	manifest.json.8.dr	false	high
https://drive-daily-0.corp.google.com/	manifest.json.8.dr	false	high
http://www.youtube.com/	msapplication.xml8.1.dr	false	high
https://chromewebstore.google.com/	manifest.json0.8.dr	false	high
http://www.wikipedia.com/	msapplication.xml7.1.dr	false	high
https://drive-preprod.corp.google.com/	manifest.json.8.dr	false	high
https://clients2.googleusercontent.com	cb14acf6-0a31-45d5-9de2-c78d31e426ed.tmp.9.dr	false	high
http://www.live.com/	msapplication.xml3.1.dr	false	high
https://chrome.google.com/webstore/	manifest.json0.8.dr	false	high
http://www.reddit.com/	msapplication.xml5.1.dr	false	high
http://www.google.com/	msapplication.xml2.1.dr	false	high
https://drive-daily-3.corp.google.com/	manifest.json.8.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.225	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582287
Start date and time:	2024-12-30 09:00:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sysmonconfig.xml
Detection:	MAL
Classification:	mal52.rans.evad.winXML@57/313@8/4
Cookbook Comments:	Found application associated with file extension: .xml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 13.107.42.16, 13.107.21.239, 204.79.197.239, 172.217.16.206, 2.23.209.137, 2.23.209.141, 2.23.209.140, 2.23.209.150, 2.23.209.149, 2.23.209.133, 2.23.209.135, 2.23.209.131, 2.23.209.143, 2.16.168.115, 2.16.168.122, 204.79.197.200, 142.251.35.163, 142.251.41.3, 184.28.90.27, 13.107.246.40, 142.250.64.106, 20.12.23.50, 23.200.0.34, 13.107.246.45
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, ieonline.microsoft.com, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, otelrules.azureedge.net, star.sb.tlu.dl.delivery.mp.microsoft.com.edgesuite.net, ctldl.windowsupdate.com, www.googleapis.com, www-www.bing.com.trafficmanager.net, edge.microsoft.com, fe3cr.delivery.mp.microsoft.com, any.edge.bing.com, l-0007.config.skype.com, go.microsoft.com.edgekey.net, a2033.dscd.akamai.net, edgeassetservice.azureedge.net, clients.l.google.com, msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com,
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:01:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
08:01:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse
	ChoForgot.exe	Get hash	malicious	Vidar	Browse
239.255.255.250	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a	Get hash	malicious	Unknown	Browse
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a	Get hash	malicious	Unknown	Browse
	http://stoss3.libooc.com	Get hash	malicious	Unknown	Browse
	PersonnelPolicies.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse
	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse
	installeasyassist.exe	Get hash	malicious	Unknown	Browse
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse
172.64.41.3	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	din.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	installer.bat	Get hash	malicious	Vidar	Browse	172.64.41.3
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.61.3
	din.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	lem.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	WRD1792.docx.doc	Get hash	malicious	Dynamer	Browse	162.159.61.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	172.67.134.110
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a	Get hash	malicious	Unknown	Browse	104.18.1.101
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a	Get hash	malicious	Unknown	Browse	104.18.1.101
	PersonnelPolicies.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	104.17.245.203
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	104.17.182.127
	AquaPac.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.168
	R3nz_Loader.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	BasesRow.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.13.205
CLOUDFLARENETUS	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	172.67.134.110
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a	Get hash	malicious	Unknown	Browse	104.18.1.101
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a	Get hash	malicious	Unknown	Browse	104.18.1.101
	PersonnelPolicies.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	104.17.245.203
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	104.17.182.127
	AquaPac.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.168
	R3nz_Loader.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	BasesRow.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.13.205

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	22900
Entropy (8bit):	6.059882287999264
Encrypted:	false
SSDEEP:	384:MtMkaMJH2m8qVT8IeQ0I5t0b9MEFdsNwtmW30TMWWtafT35ub/Y3jFd4S:MMkbJrT8IeQc5dJm9xWtafL5uTY3J9
MD5:	2C95755715D1CF5C684B9C957FF23F1A
SHA1:	46C1E2B6F836139A1A450D399862CC7E136C2864
SHA-256:	E08F0D62EBBFBCA5BE82F38A358494EB671FA3F354CEA99B1EF256A3C9A3F58A
SHA-512:	FC99301DC2A1C5F24463DB3AD9F836BC1997A4CB12C442A40B3895C46DA45D71F0489F7F2B84D4147ED106F7072FBC7BFEFE6447A56B4EC274F3A0B9F021713A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13380019256817068","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd1

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	17524
Entropy (8bit):	4.340063035506032
Encrypted:	false
SSDEEP:	192:wiuFhk5un5EpDdblzKaz+OJGbiIBJofNbr5/dn82/jqmo3qAi:rq25unWZd9dvJGiIBJoh387oAi
MD5:	03710426AB25AD1280E197F61249F9DE
SHA1:	F5E7A6FD42503AE4758BC36C8DD78D98EFB35047
SHA-256:	21E63F7C77896ED2B5F115957F2448E0A9E2DD738D7D487E471217421F6A93E1
SHA-512:	213CB55B8573335D1384AE704FF4267F224376056F71548660F9B2FDAA1203D8ABDDB787900AAF5D1E0AC6E5BE261F713BDBEFB67643D08E8D3672512A1AF588
Malicious:	false
Preview:	(function()..{.. var XHTML = "http://www.w3.org/1999/xhtml";.. .. // Time slicing constants.. var LIMIT = 10; // Maximum number of nodes to process before checking time.. var DURATION = 200; // Maximum amount of time (ms) to process before unblocking UI.. var DELAY = 15; // Amount of time (ms) to unblock UI.... // Tree building state.. var iterator;.. var nextNode;.. var root;.. var rootFirstChild;.. var time;.. .. // Template References.. var attrTemplate, attrName, attrValue;.. var elmStartTemplate, elmStartName;.. var elmEndTemplate, elmEndName;.. var cdataTemplate, cdataValue;.. var commentTemplate, commentValue;.. var style; .. .. // Only invoke this script if it was injected by our parser. Test for a condition that is.. // impossible for a markup to create - two direct children of the document... var secondRootElement = document.documentElement.nextElementSibling;.. if (secondRootElement == null

File type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with very long lines (364)
Entropy (8bit):	5.122500527848099
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	sysmonconfig.xml
File size:	253'224 bytes
MD5:	b04faa031563d47ddd5d4c44c6ba1d43
SHA1:	9fbe4b83957218c1d2a7f62672c276f7ba8b563d
SHA256:	afa3602b7350c7b87c2754379c9b30c79094e898291442e9428ebb47ef02db56
SHA512:	97b6ac6e1d3f232a58b66f862b754daff4d2f573f5cfa40a789d9949899430688718bdfff5184c9b492d74d25a43c69f27f9de7bb4b67ebd1f87b0d9fdc15d3e
SSDEEP:	3072:4iAR63eZ/h+yyI/+cjxwP+1RSf1nC7/4xnWCaalSje:X5CMX
TLSH:	3E34213330B8E4C2D14A9A62A7922A103DF1D227698D6F7836FF70105772776E51B7A3
File Content Preview:	... NOTICE : This is a balanced generated output of Sysmon-modular with medium verbosity -->. due to the balanced nature of this configuration there will be potential blind spots

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 09:01:00.462445021 CET	51789	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:00.462584972 CET	58151	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:00.469001055 CET	53	51789	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:00.482800007 CET	53	58151	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:04.410528898 CET	60139	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:04.410953999 CET	60216	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:04.411365032 CET	53971	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:04.411566019 CET	60578	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:04.417207956 CET	53	60139	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:04.417753935 CET	53	60216	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:04.417928934 CET	53	53971	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:04.418309927 CET	53	60578	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:04.477792025 CET	62361	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:04.477924109 CET	53935	53	192.168.2.4	1.1.1.1
Dec 30, 2024 09:01:04.484612942 CET	53	62361	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:04.485549927 CET	53	53935	1.1.1.1	192.168.2.4
Dec 30, 2024 09:01:05.721666098 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.023103952 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.115235090 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.172905922 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.173023939 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.173036098 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.173052073 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.173836946 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.175544977 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.175745010 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.276382923 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.276397943 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.276407003 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.276417017 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.277445078 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.277616978 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.277650118 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.373033047 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.457986116 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.459558010 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.542505026 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.542771101 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.542794943 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.550884008 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.553189993 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.560333967 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.560431004 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.561017990 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.561126947 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.653824091 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.653835058 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.653842926 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.653873920 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.655206919 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.656148911 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.656616926 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.665034056 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.665168047 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.665707111 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:06.758404970 CET	443	57994	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:06.850594997 CET	57994	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:07.401859999 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:07.402064085 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:07.498239994 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:07.499351025 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:07.510185003 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:07.510391951 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:08.188893080 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:08.189258099 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:08.284840107 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:08.285410881 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:08.285669088 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:08.286081076 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:19.131540060 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:19.131804943 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:01:19.228141069 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:19.230299950 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:19.241247892 CET	443	55694	172.64.41.3	192.168.2.4
Dec 30, 2024 09:01:19.245903969 CET	55694	443	192.168.2.4	172.64.41.3
Dec 30, 2024 09:02:12.243730068 CET	53	65112	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-12-30 08:01:01 UTC	594	OUT	GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-12-30 08:01:01 UTC	563	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC4Ki1ISq7iLyb9MDsg12aecLWE8iV327WYaoOwQXJZMDqhRoozYYOR9P_7J8euOZFY3 Accept-Ranges: bytes Content-Length: 154477 X-Goog-Hash: crc32c=F5qq4g== Server: UploadServer Date: Sun, 29 Dec 2024 15:58:13 GMT Expires: Mon, 29 Dec 2025 15:58:13 GMT Cache-Control: public, max-age=31536000 Age: 57768 Last-Modified: Thu, 12 Dec 2024 15:58:04 GMT ETag: a01bfa19_322860b8_b556d942_61bcf747_a602b083 Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-30 08:01:01 UTC	827	IN	Data Raw: 43 72 32 34 03 00 00 00 f3 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: d2 ff f8 fb 8f f1 b3 aa ea fc 5a ff 65 a8 3e ff f2 76 56 d5 8f bf fe b8 9e df fb 4a fe 2c 2f fd 58 f5 e3 8f bf ff eb c7 90 3f d4 25 97 fa fc ea 11 36 05 b0 0d c1 6d 23 05 75 5d 82 5a 95 8f c3 96 5b d7 73 d6 4d 5f 19 18 df 4a a0 b6 22 39 6c 91 fb 6c a3 f3 fd 2c 7c d5 8b 14 19 87 e6 72 d6 e7 d7 51 43 c1 e1 fb ef 9d ba 8a 34 3a 9f d4 f8 cb a1 77 6a e9 bf 9f 4f e7 c3 14 35 ef b7 d2 b7 fb ef 73 ca 6e f7 25 e1 ee 92 a5 e8 f2 fd 79 01 10 17 0f 63 e2 fc fd 91 b4 23 46 0c 8e b4 1b 1b e1 a3 2e ef a8 29 67 76 28 cd 10 21 53 ec 49 17 3e f2 20 dc 54 be b0 c5 23 dc 1d 83 eb b9 f4 a1 91 ef 0f db 83 da 5d 0b 80 ea c2 67 f3 11 c0 ee 08 4c 55 5a a8 16 40 1f 77 c3 5c 80 cd f9 b8 0f 1f 05 d8 fd 7b 9d df f7 16 4e b9 a7 7a 66 d5 6e 02 19 3a 72 f1 95 74 0c 72 0e cf 9c ab 3d a2 Data Ascii: Ze>vVJ,/X?%6m#u]Z[sM_J"9ll,\|rQC4:wjO5sn%yc#F.)gv(!SI> T#]gLUZ@w\{Nzfn:rtr=
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: fb 40 b0 b4 75 cd a2 45 ec b5 f7 5f 79 7d 9c cd 6c 12 a9 d6 7b 85 01 32 0c 8b 32 98 4b 0f f9 85 0b e3 3c 40 38 52 9e 25 bb 7a 8f 3d a8 39 20 c4 e5 c3 0c b0 21 bf 16 af df 1f d6 7a ee 0d 99 c3 31 ea 95 12 c6 e4 1c 29 ba 47 74 ec a8 92 fb c2 95 5e e2 ca b0 a4 22 c6 26 76 ca 5e 73 34 d5 7c c4 e8 14 05 cb 7b 5f fe 1f 38 b8 6c f0 90 19 b5 92 81 f8 cc 81 4a 13 2f 1a 49 e0 78 71 23 7a 01 c2 0c 77 ba 14 2c e7 2c 3c 91 d1 4e bc 96 0a 3a 18 c8 cd 72 ef c9 b5 f8 8f da e7 6e b0 2f 3c 34 d7 ad f4 42 40 4c d8 a1 40 88 dc 18 8e 64 d6 1c e0 63 1e 05 cf 20 06 f7 3b 0b 70 9c 51 ec 56 dd fb 7d 11 7f 6b 6d ef 0d 1e 52 b0 4d ad e1 45 2a 6f 3e c1 ba 25 26 a2 d8 aa 43 9d 31 12 d1 9a b3 ce 3a 54 eb 81 1f 1b e6 0b 22 ca 2f 2d 08 8a 65 ef 77 c9 57 62 8f 5b 75 cd 1a e5 55 bd 63 44 Data Ascii: @uE_y}l{22K<@8R%z=9 !z1)Gt^"&v^s4\|{_8lJ/Ixq#zw,,<N:rn/<4B@L@dc ;pQV}kmRME*o>%&C1:T"/-ewWb[uUcD
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: ae 14 17 a9 0a ca 56 6b be f7 64 1f 49 78 97 5a b7 31 fc 9e 6d a1 03 6f d9 e7 f7 53 08 01 c3 c5 b9 7a b9 76 b6 db 53 9b 34 0a 6b 4e 57 59 c3 5e 19 bf 00 5d 8b aa e8 60 1e 51 13 25 a6 e3 15 9d 7d ca 7d 96 c5 a9 08 a9 a5 b6 19 1f 60 d5 2f 62 7f 2f 56 f2 3d 57 f8 23 62 ea 11 f9 e1 a4 f7 19 e1 40 b8 32 a8 3b d1 0e 75 e4 ef 5e a5 8b 7d 02 3c b3 b0 c2 54 f7 e1 89 cc ec 28 67 76 59 d4 5a cb 31 52 23 4c d6 ce d6 b5 6f 6c b9 2b 3b 9d 71 b7 59 27 29 f2 cd 97 cc b0 23 c2 6d 96 10 c7 cf 94 88 f2 6e 6a 64 2b 51 dc e1 73 d9 1f ee 59 f3 bf e0 1f e0 37 0a e3 95 33 5e 91 a6 46 6d ea cf 64 89 31 b8 c4 90 37 6a 0a ad fa f8 c0 5c 14 73 a2 84 ce 1a f7 08 d6 da 7b b1 29 06 b5 cf 3b d4 47 7c d1 e7 3f 8a b5 cf 36 82 c8 ca 3a 7b 7f 72 db 3b 69 f1 47 d9 87 17 cd 7f 57 ce c3 98 bb Data Ascii: VkdIxZ1moSzvS4kNWY^]`Q%}}`/b/V=W#b@2;u^}<T(gvYZ1R#Lol+;qY')#mnjd+QsY73^Fmd17j\s{);G\|?6:{r;iGW
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: fd bb 9e 52 c0 c6 ac 63 6d 6a 7d 63 a0 ee bf 61 fe 67 d7 ed a2 91 18 ea 83 e8 bc 84 3c f6 92 99 0e 39 52 fb 50 a4 8e 8d b9 50 b4 45 0e 0e e8 5c f4 48 13 5f 36 61 f7 d9 4a 58 d8 a4 e0 0f 1c 33 8b 34 04 b9 4e a3 a9 25 bf ca 6e d4 75 b6 3b e7 dc 7e 2b 83 f0 4b fc 4f d7 6f 8d 99 43 f4 2a 3b 16 67 fd f0 c0 81 0c 22 df 3e 68 cf fc 25 d5 a0 cd 23 dc 62 3a 6c 78 5f c7 cc 17 bd ce 53 9b 88 64 9b f2 5b 5f 98 71 3d 74 42 5f cb ac e5 6f 5a 85 bf 31 ff bd 96 74 6d fd 76 0d b8 3b 7f f7 5c 6e 6a 9f 9b 0e 4a ef 8f 11 b9 2d f8 fd b3 ca 10 dc fc ce f2 bf cd d3 72 cd a9 3a 3f 7e e8 ba 50 b9 e5 8c 85 66 3c 7d 7c cb b9 ae b1 2e d4 de 6e 77 cd fd f1 92 27 87 ff fc ac be ef 47 09 d4 77 ef e8 3d f4 6e 27 97 de a2 ef ff f7 ce 43 af 53 f3 cd ee 9a 5a 42 95 3d 1a be f9 ed d4 c0 dd Data Ascii: Rcmj}cag<9RPPE\H_6aJX34N%nu;~+KOoC*;g">h%#b:lx_Sd[_q=tB_oZ1tmv;\njJ-r:?~Pf<}\|.nw'Gw=n'CSZB=
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: 73 3d 2b b0 5b de b2 1b ac ac c0 bf bd 49 06 60 0a 98 e5 c3 12 dc fa fd 5e 94 c6 93 21 f3 32 c4 3a e7 6a 98 8e e5 33 47 4c 6f 66 cf 66 8f 00 02 a7 37 5d af 9f 55 1c 7d 2f aa 0d 63 45 34 4d 9c 3f 0c 6f 34 66 3d 1f 97 c5 b3 39 14 7b e1 d5 d2 27 58 29 01 4d de d6 12 94 45 a0 b2 25 18 06 ec ff 89 3f ee 0f 01 1c 62 05 b0 8e 6f 05 55 2b 9a 4e 2b 15 bb 5a f9 59 a9 86 d5 aa 13 d9 6a a3 fa 56 e4 c4 f6 2d 76 5b 8b dd a8 15 f0 25 70 2a 41 38 f2 87 e9 80 f6 c5 43 a6 19 c3 34 71 63 28 94 f7 d5 3e a8 8d fb a7 40 9e 7a b1 db b3 2a 31 8c 90 2f 56 e5 7c e4 f7 bb 83 9f 23 9a 0d 8c ce 42 04 aa 0d 19 a0 6f d7 b2 9f 34 76 5f 6d 6e 6e d6 69 e4 4e a8 e8 02 80 b4 a5 20 5a 4b c7 e1 90 e1 cc 0d d0 9a 83 61 2e 2f 3c 5f c9 d6 50 bd 42 9b 7a 69 bf 37 7e c9 9f 3e a7 e6 e3 76 c6 ba 83 Data Ascii: s=+[I`^!2:j3GLoff7]U}/cE4M?o4f=9{'X)ME%?boU+N+ZYjV-v[%pA8C4qc(>@z1/V\|#Bo4v_mnniN ZKa./<_PBzi7~>v
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: 3d 19 8d fb dd dd 4b 60 21 0e f5 cc 1f 33 7c 0c d2 d1 00 b1 81 5e 69 42 40 e6 1a a3 91 ad d6 e5 68 63 43 03 68 03 51 81 cd 15 5b 50 25 01 0d 0a a0 cc 37 ab d0 e0 70 db 64 42 b6 9f 01 12 e5 58 36 df 46 f2 c0 36 2c 9a 5a d0 f7 89 35 0a f9 9b 66 01 58 a1 26 0c 6a 4d 5c 4b 7b e9 58 7b 57 de c3 72 c3 01 d2 14 c3 96 8f 11 ca 88 39 7c 1d 63 60 72 6c d4 ef 71 f2 9c 49 0e 9c cd 6d 82 37 6e c9 82 9c 2f 0b 6e 24 69 39 f2 e2 78 83 7f 53 04 3d b6 a3 da b9 a8 71 16 77 6c c9 a0 89 56 73 5e 14 11 7c 7c 73 cb 7f 2a d9 f2 39 07 8f 6b 7d 56 ca c0 8d 61 7f 28 ec 36 ce 58 4c 31 40 12 ec 2c 6f 2c 2b 48 03 40 f2 e5 2b 62 36 46 17 48 75 0a bd e4 dc 22 b3 6e 9c 63 a5 86 71 d4 b8 31 30 23 af 19 81 78 83 e3 e9 5a 37 f8 9c 4b 22 f0 7a 80 ff ce 66 cd 63 e2 27 5d 67 e0 5c b9 05 91 82 Data Ascii: =K`!3\|^iB@hcChQ[P%7pdBX6F6,Z5fX&jM\K{X{Wr9\|c`rlqIm7n/n$i9xS=qwlVs^\|\|s*9k}Va(6XL1@,o,+H@+b6FHu"ncq10#xZ7K"zfc']g\
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: fc c2 eb d3 07 f9 cb a9 80 c2 b8 ec 66 aa f4 9a a9 4f 23 9b 16 c3 b7 0c e9 94 d8 01 42 0d 39 01 c1 0c 00 05 bb 46 fd 6c 74 68 20 1a 73 50 b5 25 bf 9b 6b a1 76 bd ec 3e 5a 2f 34 82 c8 be 2c eb 72 e9 75 b9 81 5a f1 03 58 07 57 22 05 05 6e 85 8b 28 3e ed b7 c4 45 0d bd de ae 37 13 31 f9 80 3b 68 01 71 40 1d 01 b4 9c 4e 2d fe e0 0a c4 3b eb d6 d2 a0 03 02 2f 96 20 44 6d 8b bf 7c 02 6e 06 9b 90 bf 10 fe 39 81 a6 8e a4 2a f2 45 4e 66 1c a4 2b 79 31 d8 41 b0 51 04 2d 99 39 bc 77 2e 54 8b 76 6d a7 d8 02 27 86 e2 f3 dc 57 e3 03 ad 3a ec 69 93 fb 84 77 d0 7c da 4b 0a 2e 39 2d a6 36 d1 88 83 03 6c 5b fc 2f 79 5b 7d d8 a9 35 da cd 0e 88 f8 e2 03 a7 27 d3 a9 e0 0c 12 9c 09 82 d3 79 24 9a 2b cc 48 be 25 3a ab ff d0 19 81 59 31 2f 46 8c 01 89 b0 9a f6 ea aa b3 5c b7 89 Data Ascii: fO#B9Flth sP%kv>Z/4,ruZXW"n(>E71;hq@N-;/ Dm\|n9*ENf+y1AQ-9w.Tvm'W:iw\|K.9-6l[/y[}5'y$+H%:Y1/F\
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: 41 d0 ce 03 89 61 57 3a e2 0c 48 31 96 53 3b 09 22 96 46 85 74 06 dc 97 14 6e 80 5c 17 6e 36 1a 8d 75 f8 7f 78 5c 36 a8 54 68 6b 72 c2 09 eb c5 52 50 48 b9 ff e5 a7 0f 83 fe 39 c0 51 2f 55 aa a1 dd 0a 37 5c c2 bc b6 5f 75 f5 b9 25 6c 88 f3 83 06 9b 56 b8 4a 65 5e 38 8b ca 20 06 d7 57 1a f5 b5 67 d3 e7 cf d7 5e bd b0 17 96 14 85 5e 3c 5b 03 09 6f 56 e4 52 22 10 cb 74 09 03 2f bd f9 23 7e 95 07 5a 94 28 41 b2 07 11 ae 60 79 c8 fb cd c2 c6 aa 3b ff 69 1b 7c 15 7c 8c 84 24 dc 79 fa e4 d1 a3 a5 ed fe e0 66 98 c6 c9 78 09 45 c6 ed ac 3f 9a 0c c3 a5 83 d4 1b b2 e1 cd d2 d6 64 9c f4 87 a3 da a3 a5 d3 0f 3b df 56 0f 52 3f ec 8d c2 d5 fd 00 d6 3f 8d d2 70 d8 5c da 1a 80 ee 12 ae ae d5 ea 8f 9e 3c a5 a3 07 57 cc bd 02 12 70 3b 73 2e 49 16 9f 4e 31 20 51 39 f9 af 05 Data Ascii: AaW:H1S;"Ftn\n6ux\6ThkrRPH9Q/U7\_u%lVJe^8 Wg^^<[oVR"t/#~Z(A`y;i\|\|$yfxE?d;VR??p\<Wp;s.IN1 Q9
2024-12-30 08:01:01 UTC	1390	IN	Data Raw: 87 13 fa f8 51 4e 97 0f d5 84 e9 74 fa 59 da 7c bf e3 19 63 e7 07 e3 a7 9c f0 cd e3 fc 08 b5 3a ce 6e 1e 74 71 58 2e 86 7b e3 3e 33 82 51 35 c1 d9 f3 e4 51 51 26 64 2c af 85 36 8b 9c 7b 7a b0 77 c8 75 fa 03 ca fd a0 c3 ce 9a 6e be f5 7a 7b 67 77 ef cd db fd 77 ef 0f 0e 8f 8e 3f 7c 3c 39 fd f4 f9 cb d7 6f df 7f 30 cf 87 a1 c4 49 7a 7e 91 75 7b fd c1 af e1 68 3c b9 bc ba be f9 5d 6f ac 3d 5b 7f fe e2 ef 97 af f2 63 f2 15 f4 d6 9e 55 aa 4f dd 8a 03 ff c2 3f ab 3f 5d fa b7 46 ff 56 3a 94 2b 20 dc 78 de 0a 95 8b c3 47 91 c8 67 63 2b 40 91 24 6f ca 6e 7d 87 bd d2 71 e7 b6 91 dc ac b1 6c 22 71 23 d8 4d ad 1f 0c cf f9 69 73 e6 2f 50 b6 99 79 ee 77 4a 8a 21 24 4f 4b 33 1e c8 1d fb f4 19 74 19 80 e6 f6 62 bd 83 59 19 a8 db d0 e5 f1 d2 79 f6 89 b5 56 54 75 9f c9 63 Data Ascii: QNtY\|c:ntqX.{>3Q5QQ&d,6{zwunz{gww?\|<9o0Iz~u{h<]o=[cUO??]FV:+ xGgc+@$on}ql"q#Mis/PywJ!$OK3tbYyVTuc

Timestamp	Bytes transferred	Direction	Data
2024-12-30 08:01:04 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-30 08:01:04 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-12-30 08:01:04 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 30 Dec 2024 08:01:04 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8fa07ff5c8a7c3fa-EWR alt-svc: h3=":443"; ma=86400
2024-12-30 08:01:04 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1f 00 04 8e fb 23 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom#)

Timestamp	Bytes transferred	Direction	Data
2024-12-30 08:01:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-12-30 08:01:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM
2024-12-30 08:01:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 30 Dec 2024 08:01:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8fa07ffe0ecb7ce8-EWR alt-svc: h3=":443"; ma=86400
2024-12-30 08:01:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 04 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0d ed 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 30 00 05 00 01 00 00 00 19 00 02 c0 43 c0 43 00 01 00 01 00 00 00 19 00 04 0d 6b 15 ef c0 43 00 01 00 01 00 00 00 19 00 04 cc 4f c5 ef 00 00 29 04 d0 00 00 00 00 01 3e 00 0c 01 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom-edge-microsoft-comdual-a-0036a-msedgenet0CCkCO)>:

Target ID:	0
Start time:	03:00:52
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Desktop\sysmonconfig.xml"
Imagebase:	0x930000
File size:	225'176 bytes
MD5 hash:	A2E6E2A1C125973A4967540FD08C9AF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	1
Start time:	03:00:53
Start date:	30/12/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\sysmonconfig.xml
Imagebase:	0x7ff7d1790000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	4
Start time:	03:00:54
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Wow64 process (32bit):	true
Commandline:	"C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Imagebase:	0xde0000
File size:	85'632 bytes
MD5 hash:	F9A898A606E7F5A1CD7CFFA8079253A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	03:00:55
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1964,i,8747618032302115982,16467247634679276211,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	03:00:56
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2736 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:3
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	03:01:00
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5932 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	03:01:05
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=2092,i,14706900134258860897,9920335512291822920,262144 /prefetch:8
Imagebase:	0x7ff6ea6d0000
File size:	1'255'976 bytes
MD5 hash:	76C58E5BABFE4ACF0308AA646FC0F416
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	03:01:17
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	03:01:25
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff67dcd0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sysmonconfig.xml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0a0c5a49-c44b-40b3-bb73-e73ef68ec1c5.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\12f51fe7-472e-4dfd-911a-b6b204a85abc.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1760b4dd-6840-46c2-ac69-38cea67ad01b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1d631fb8-8454-47db-920c-c5469b55b664.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2759380a-e156-433d-89e1-24b2c6dbef8c.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2f06deb6-863d-416c-a2ff-f3fcfb39542f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3ae2ea35-70fc-403f-ac85-c864273f6039.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3ed05c07-4125-4725-a0e5-11701a3cd551.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8e7fc1d3-59f7-4cfe-b3aa-5b2f9a78dfdb.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\95f309b4-1153-43d0-b278-514b424d61d0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\1bb8aefa-3ce8-4be1-8132-91edabb91f60.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67725337-1EC4.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67725337-1FE4.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-6772534D-2268.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67725355-22E8.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\00afc671-ba1a-4545-b40c-fb1e2e6b0a91.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\23594807-3795-4ef9-93d8-a0024af631c7.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\2414e831-765d-432f-b440-7dbc082bf7eb.tmp

Windows Analysis Report
sysmonconfig.xml

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre