Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    108s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 17:02 UTC

General

  • Target

    https://support.google.com/drive?p=collaborator_accounts

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://support.google.com/drive?p=collaborator_accounts
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1528

Network

  • flag-us
    DNS
    support.google.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    support.google.com
    IN A
    Response
    support.google.com
    IN A
    142.251.36.46
  • flag-nl
    GET
    https://support.google.com/drive?p=collaborator_accounts
    IEXPLORE.EXE
    Remote address:
    142.251.36.46:443
    Request
    GET /drive?p=collaborator_accounts HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: support.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Location: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Date: Wed, 08 Feb 2023 17:02:49 GMT
    Expires: Wed, 08 Feb 2023 17:02:49 GMT
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=UTF-8
    X-Content-Type-Options: nosniff
    Server: support-content-ui
    Content-Length: 319
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    IEXPLORE.EXE
    Remote address:
    142.251.36.46:443
    Request
    GET /drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1 HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: support.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Strict-Transport-Security: max-age=31536000; includeSubdomains
    Content-Type: text/html; charset=UTF-8
    Date: Wed, 08 Feb 2023 17:02:50 GMT
    Expires: Wed, 08 Feb 2023 17:02:50 GMT
    Cache-Control: private, max-age=0
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-U1YEALadCCxSNBBww3YY' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http: 'report-sample';report-uri https://csp.withgoogle.com/csp/scfe
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    X-Content-Type-Options: nosniff
    Content-Encoding: gzip
    Server: support-content-ui
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: NID=511=u2K7NvyrQmzHkb5SJcNTaIkBtAJ7QNmUcFuYItOUn_6LTBLOvIqnyJqwiSI_txXCGbqvHhB0HhYFlRPZmRN8M4I9x7T-YbevuTdUM-2yyLvaJ33czL_aVIZuR9ioG_BBaqQmXmtxIzLIPhbJELO9L35eqCfOMKvbhEpddeqPLZ0; expires=Thu, 10-Aug-2023 17:02:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Set-Cookie: NID=511=u2K7NvyrQmzHkb5SJcNTaIkBtAJ7QNmUcFuYItOUn_6LTBLOvIqnyJqwiSI_txXCGbqvHhB0HhYFlRPZmRN8M4I9x7T-YbevuTdUM-2yyLvaJ33czL_aVIZuR9ioG_BBaqQmXmtxIzLIPhbJELO9L35eqCfOMKvbhEpddeqPLZ0; expires=Thu, 10-Aug-2023 17:02:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-nl
    GET
    https://support.google.com/favicon.ico
    IEXPLORE.EXE
    Remote address:
    142.251.36.46:443
    Request
    GET /favicon.ico HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Host: support.google.com
    Connection: Keep-Alive
    Cookie: NID=511=u2K7NvyrQmzHkb5SJcNTaIkBtAJ7QNmUcFuYItOUn_6LTBLOvIqnyJqwiSI_txXCGbqvHhB0HhYFlRPZmRN8M4I9x7T-YbevuTdUM-2yyLvaJ33czL_aVIZuR9ioG_BBaqQmXmtxIzLIPhbJELO9L35eqCfOMKvbhEpddeqPLZ0; _ga_H30R9PNQFN=GS1.1.1675879370.1.0.1675879370.0.0.0; _ga=GA1.3.1221844864.1675879370; _gid=GA1.3.768085649.1675879370; _gat_gtag_UA_175894890_5=1
    Response
    HTTP/1.1 200 OK
    Content-Type: image/x-icon
    Cross-Origin-Resource-Policy: cross-origin
    Date: Wed, 08 Feb 2023 17:02:51 GMT
    Expires: Wed, 08 Feb 2023 17:02:51 GMT
    Cache-Control: private, max-age=300
    X-Content-Type-Options: nosniff
    Content-Encoding: gzip
    Server: support-content-ui
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-us
    DNS
    lh3.googleusercontent.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    lh3.googleusercontent.com
    IN A
    Response
    lh3.googleusercontent.com
    IN CNAME
    googlehosted.l.googleusercontent.com
    googlehosted.l.googleusercontent.com
    IN A
    142.251.36.1
  • flag-us
    DNS
    storage.googleapis.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    storage.googleapis.com
    IN A
    Response
    storage.googleapis.com
    IN A
    142.251.36.16
    storage.googleapis.com
    IN A
    142.251.39.112
    storage.googleapis.com
    IN A
    172.217.168.208
    storage.googleapis.com
    IN A
    216.58.214.16
    storage.googleapis.com
    IN A
    142.250.179.144
    storage.googleapis.com
    IN A
    142.251.36.48
    storage.googleapis.com
    IN A
    142.250.179.176
    storage.googleapis.com
    IN A
    142.250.179.208
  • flag-nl
    GET
    https://lh3.googleusercontent.com/liXNSFcgL2YWyQutOyawpiwl-d9A2TD31qEZjmF9qRdCby1AJO0vE5C8_kHXB7QMggM=w36-h36
    IEXPLORE.EXE
    Remote address:
    142.251.36.1:443
    Request
    GET /liXNSFcgL2YWyQutOyawpiwl-d9A2TD31qEZjmF9qRdCby1AJO0vE5C8_kHXB7QMggM=w36-h36 HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: lh3.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Access-Control-Expose-Headers: Content-Length
    Content-Disposition: inline;filename="unnamed.png"
    Vary: Origin
    Access-Control-Allow-Origin: *
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Server: fife
    Content-Length: 211
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 16:11:46 GMT
    Expires: Mon, 06 Feb 2023 22:04:58 GMT
    Cache-Control: public, max-age=86400, no-transform
    Age: 3064
    ETag: "v1"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://lh3.googleusercontent.com/uSM1WAyJPHhLEEJu9DClOxayx6mNNJ5pmlDbmNcokQTVVM2ZeN4QeoeVA2VX2IZ-Dg=w24
    IEXPLORE.EXE
    Remote address:
    142.251.36.1:443
    Request
    GET /uSM1WAyJPHhLEEJu9DClOxayx6mNNJ5pmlDbmNcokQTVVM2ZeN4QeoeVA2VX2IZ-Dg=w24 HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: lh3.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Access-Control-Expose-Headers: Content-Length
    Content-Disposition: inline;filename="unnamed.png"
    Vary: Origin
    Access-Control-Allow-Origin: *
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Server: fife
    Content-Length: 96
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 13:47:33 GMT
    Expires: Mon, 06 Feb 2023 23:59:06 GMT
    Cache-Control: public, max-age=86400, no-transform
    Age: 11717
    ETag: "v1"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://lh3.googleusercontent.com/nNsoJAlCSyDVpXigDGJ6VTl9vpG8JwHyefPlSmJ8jH5IKu8TkEBAJNREgD9gHFO81b6k=w36-h36
    IEXPLORE.EXE
    Remote address:
    142.251.36.1:443
    Request
    GET /nNsoJAlCSyDVpXigDGJ6VTl9vpG8JwHyefPlSmJ8jH5IKu8TkEBAJNREgD9gHFO81b6k=w36-h36 HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: lh3.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Access-Control-Expose-Headers: Content-Length
    Content-Disposition: inline;filename="unnamed.png"
    Vary: Origin
    Access-Control-Allow-Origin: *
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Server: fife
    Content-Length: 124
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 14:18:34 GMT
    Expires: Thu, 26 Jan 2023 06:45:07 GMT
    Cache-Control: public, max-age=86400, no-transform
    Age: 9856
    ETag: "v1"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36
    IEXPLORE.EXE
    Remote address:
    142.251.36.1:443
    Request
    GET /QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36 HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: lh3.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Access-Control-Expose-Headers: Content-Length
    Content-Disposition: inline;filename="unnamed.png"
    Vary: Origin
    Access-Control-Allow-Origin: *
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Server: fife
    Content-Length: 124
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 14:35:36 GMT
    Expires: Wed, 01 Feb 2023 22:21:37 GMT
    Cache-Control: public, max-age=86400, no-transform
    Age: 8834
    ETag: "v1"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://lh3.googleusercontent.com/fKYxJWmqWKS5JTWJUHJSE6u4tKZ6JbFx7YGMbbH0cI72r3E2MhU0vPrE6uaflUm94Q=w64
    IEXPLORE.EXE
    Remote address:
    142.251.36.1:443
    Request
    GET /fKYxJWmqWKS5JTWJUHJSE6u4tKZ6JbFx7YGMbbH0cI72r3E2MhU0vPrE6uaflUm94Q=w64 HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: lh3.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Access-Control-Expose-Headers: Content-Length
    Content-Disposition: inline;filename="unnamed.png"
    Vary: Origin
    Access-Control-Allow-Origin: *
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Server: fife
    Content-Length: 2205
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 15:14:16 GMT
    Expires: Wed, 25 Jan 2023 20:47:28 GMT
    Cache-Control: public, max-age=86400, no-transform
    Age: 6514
    ETag: "v1"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://lh3.googleusercontent.com/xnAMm2_zQbhuYe9sW8Yvdjqq1_W4FSbRmhHNpGqE5-zxipqV1UL1Un5lRq9PZOVdyaUI=w36-h36
    IEXPLORE.EXE
    Remote address:
    142.251.36.1:443
    Request
    GET /xnAMm2_zQbhuYe9sW8Yvdjqq1_W4FSbRmhHNpGqE5-zxipqV1UL1Un5lRq9PZOVdyaUI=w36-h36 HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: lh3.googleusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Access-Control-Expose-Headers: Content-Length
    Content-Disposition: inline;filename="unnamed.png"
    Vary: Origin
    Access-Control-Allow-Origin: *
    Timing-Allow-Origin: *
    X-Content-Type-Options: nosniff
    Server: fife
    Content-Length: 193
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 15:15:17 GMT
    Expires: Wed, 01 Feb 2023 13:01:38 GMT
    Cache-Control: public, max-age=86400, no-transform
    Age: 6453
    ETag: "v1"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://storage.googleapis.com/support-kms-prod/EkSYLH4zQcmB1Q3moTAkqWadsMNen9khgVjF
    IEXPLORE.EXE
    Remote address:
    142.251.36.16:443
    Request
    GET /support-kms-prod/EkSYLH4zQcmB1Q3moTAkqWadsMNen9khgVjF HTTP/1.1
    Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: storage.googleapis.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: ADPycdvaq47hLDXOUqJkR8KdmItXOSynkF6tdDXGA4MPwmKKIZ2LqRQC2U8VX79cXbUO-jVrg6zWJpAwQUR0daO1FSVZkA
    x-goog-generation: 1464905438094000
    x-goog-metageneration: 3
    x-goog-stored-content-encoding: identity
    x-goog-stored-content-length: 153
    x-goog-hash: crc32c=FqsE+A==
    x-goog-hash: md5=p4ZjmaIpGdWJ4SU90gOKZg==
    x-goog-storage-class: STANDARD
    Accept-Ranges: bytes
    Content-Length: 153
    Server: UploadServer
    Date: Wed, 08 Feb 2023 16:14:32 GMT
    Expires: Wed, 08 Feb 2023 17:14:32 GMT
    Cache-Control: public, max-age=3600
    Age: 2898
    Last-Modified: Thu, 02 Jun 2016 22:10:38 GMT
    ETag: "a7866399a22919d589e1253dd2038a66"
    Content-Type: image/png
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
  • flag-us
    DNS
    apis.google.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    apis.google.com
    IN A
    Response
    apis.google.com
    IN CNAME
    plus.l.google.com
    plus.l.google.com
    IN A
    216.58.208.110
  • flag-gb
    GET
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.3R2S2iMRC9o.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8-ukmJKpOYaCGRb909wNTowBRXFA/cb=gapi.loaded_0
    IEXPLORE.EXE
    Remote address:
    216.58.208.110:443
    Request
    GET /_/scs/abc-static/_/js/k=gapi.gapi.en.3R2S2iMRC9o.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8-ukmJKpOYaCGRb909wNTowBRXFA/cb=gapi.loaded_0 HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Referer: https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: apis.google.com
    Connection: Keep-Alive
    Cookie: NID=511=u2K7NvyrQmzHkb5SJcNTaIkBtAJ7QNmUcFuYItOUn_6LTBLOvIqnyJqwiSI_txXCGbqvHhB0HhYFlRPZmRN8M4I9x7T-YbevuTdUM-2yyLvaJ33czL_aVIZuR9ioG_BBaqQmXmtxIzLIPhbJELO9L35eqCfOMKvbhEpddeqPLZ0
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access"
    Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]}
    Content-Length: 37983
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 06 Feb 2023 22:16:58 GMT
    Expires: Tue, 06 Feb 2024 22:16:58 GMT
    Cache-Control: public, max-age=31536000
    Last-Modified: Sat, 07 Jan 2023 15:18:57 GMT
    Content-Type: text/javascript; charset=UTF-8
    Age: 153953
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    crls.pki.goog
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    crls.pki.goog
    IN A
    Response
    crls.pki.goog
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    142.251.36.14
  • flag-us
    DNS
    crls.pki.goog
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    crls.pki.goog
    IN A
    Response
    crls.pki.goog
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    142.251.36.14
  • flag-us
    DNS
    crls.pki.goog
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    crls.pki.goog
    IN A
    Response
    crls.pki.goog
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    142.251.36.14
  • flag-us
    DNS
    crls.pki.goog
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    crls.pki.goog
    IN A
    Response
    crls.pki.goog
    IN CNAME
    www3.l.google.com
    www3.l.google.com
    IN A
    142.251.36.14
  • flag-nl
    GET
    http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl
    IEXPLORE.EXE
    Remote address:
    142.251.36.14:80
    Request
    GET /gts1c3/QqFxbi9M48c.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crls.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 12168
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 16:28:33 GMT
    Expires: Wed, 08 Feb 2023 17:18:33 GMT
    Cache-Control: public, max-age=3000
    Age: 2068
    Last-Modified: Wed, 08 Feb 2023 12:14:38 GMT
    Content-Type: application/pkix-crl
  • flag-nl
    GET
    http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl
    IEXPLORE.EXE
    Remote address:
    142.251.36.14:80
    Request
    GET /gts1c3/QqFxbi9M48c.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crls.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 12168
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 16:28:33 GMT
    Expires: Wed, 08 Feb 2023 17:18:33 GMT
    Cache-Control: public, max-age=3000
    Age: 2068
    Last-Modified: Wed, 08 Feb 2023 12:14:38 GMT
    Content-Type: application/pkix-crl
  • flag-nl
    GET
    http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl
    IEXPLORE.EXE
    Remote address:
    142.251.36.14:80
    Request
    GET /gts1c3/zdATt0Ex_Fk.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crls.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 12129
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 16:17:20 GMT
    Expires: Wed, 08 Feb 2023 17:07:20 GMT
    Cache-Control: public, max-age=3000
    Age: 2741
    Last-Modified: Wed, 08 Feb 2023 08:15:10 GMT
    Content-Type: application/pkix-crl
  • flag-nl
    GET
    http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl
    IEXPLORE.EXE
    Remote address:
    142.251.36.14:80
    Request
    GET /gts1c3/zdATt0Ex_Fk.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crls.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 12129
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 08 Feb 2023 16:17:20 GMT
    Expires: Wed, 08 Feb 2023 17:07:20 GMT
    Cache-Control: public, max-age=3000
    Age: 2741
    Last-Modified: Wed, 08 Feb 2023 08:15:10 GMT
    Content-Type: application/pkix-crl
  • flag-us
    DNS
    www.microsoft.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    173.223.113.131
  • 142.251.36.46:443
    support.google.com
    IEXPLORE.EXE
    152 B
    3
  • 142.251.36.46:443
    support.google.com
    IEXPLORE.EXE
    152 B
    3
  • 142.251.36.46:443
    support.google.com
    tls
    IEXPLORE.EXE
    709 B
    7.3kB
    9
    10
  • 142.251.36.46:443
    https://support.google.com/favicon.ico
    tls, http
    IEXPLORE.EXE
    9.8kB
    335.4kB
    161
    254

    HTTP Request

    GET https://support.google.com/drive?p=collaborator_accounts

    HTTP Response

    301

    HTTP Request

    GET https://support.google.com/drive/answer/9195194?visit_id=638114725699461083-795429016&p=collaborator_accounts&rd=1

    HTTP Response

    200

    HTTP Request

    GET https://support.google.com/favicon.ico

    HTTP Response

    200
  • 142.251.36.1:443
    https://lh3.googleusercontent.com/fKYxJWmqWKS5JTWJUHJSE6u4tKZ6JbFx7YGMbbH0cI72r3E2MhU0vPrE6uaflUm94Q=w64
    tls, http
    IEXPLORE.EXE
    3.5kB
    14.3kB
    16
    18

    HTTP Request

    GET https://lh3.googleusercontent.com/liXNSFcgL2YWyQutOyawpiwl-d9A2TD31qEZjmF9qRdCby1AJO0vE5C8_kHXB7QMggM=w36-h36

    HTTP Response

    200

    HTTP Request

    GET https://lh3.googleusercontent.com/uSM1WAyJPHhLEEJu9DClOxayx6mNNJ5pmlDbmNcokQTVVM2ZeN4QeoeVA2VX2IZ-Dg=w24

    HTTP Response

    200

    HTTP Request

    GET https://lh3.googleusercontent.com/nNsoJAlCSyDVpXigDGJ6VTl9vpG8JwHyefPlSmJ8jH5IKu8TkEBAJNREgD9gHFO81b6k=w36-h36

    HTTP Response

    200

    HTTP Request

    GET https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36

    HTTP Response

    200

    HTTP Request

    GET https://lh3.googleusercontent.com/fKYxJWmqWKS5JTWJUHJSE6u4tKZ6JbFx7YGMbbH0cI72r3E2MhU0vPrE6uaflUm94Q=w64

    HTTP Response

    200
  • 142.251.36.1:443
    lh3.googleusercontent.com
    IEXPLORE.EXE
    152 B
    3
  • 142.251.36.1:443
    https://lh3.googleusercontent.com/xnAMm2_zQbhuYe9sW8Yvdjqq1_W4FSbRmhHNpGqE5-zxipqV1UL1Un5lRq9PZOVdyaUI=w36-h36
    tls, http
    IEXPLORE.EXE
    1.3kB
    9.9kB
    11
    12

    HTTP Request

    GET https://lh3.googleusercontent.com/xnAMm2_zQbhuYe9sW8Yvdjqq1_W4FSbRmhHNpGqE5-zxipqV1UL1Un5lRq9PZOVdyaUI=w36-h36

    HTTP Response

    200
  • 142.251.36.1:443
    lh3.googleusercontent.com
    tls
    IEXPLORE.EXE
    756 B
    8.4kB
    10
    10
  • 142.251.36.1:443
    lh3.googleusercontent.com
    tls
    IEXPLORE.EXE
    762 B
    8.5kB
    10
    12
  • 142.251.36.1:443
    lh3.googleusercontent.com
    IEXPLORE.EXE
    152 B
    3
  • 142.251.36.16:443
    https://storage.googleapis.com/support-kms-prod/EkSYLH4zQcmB1Q3moTAkqWadsMNen9khgVjF
    tls, http
    IEXPLORE.EXE
    1.2kB
    6.8kB
    10
    10

    HTTP Request

    GET https://storage.googleapis.com/support-kms-prod/EkSYLH4zQcmB1Q3moTAkqWadsMNen9khgVjF

    HTTP Response

    200
  • 142.251.36.16:443
    storage.googleapis.com
    tls
    IEXPLORE.EXE
    713 B
    4.7kB
    9
    9
  • 216.58.208.110:443
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.3R2S2iMRC9o.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8-ukmJKpOYaCGRb909wNTowBRXFA/cb=gapi.loaded_0
    tls, http
    IEXPLORE.EXE
    2.2kB
    45.6kB
    25
    38

    HTTP Request

    GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.3R2S2iMRC9o.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8-ukmJKpOYaCGRb909wNTowBRXFA/cb=gapi.loaded_0

    HTTP Response

    200
  • 216.58.208.110:443
    apis.google.com
    IEXPLORE.EXE
    152 B
    3
  • 142.251.36.14:80
    http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl
    http
    IEXPLORE.EXE
    595 B
    13.4kB
    10
    12

    HTTP Request

    GET http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl

    HTTP Response

    200
  • 142.251.36.14:80
    http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl
    http
    IEXPLORE.EXE
    595 B
    13.4kB
    10
    12

    HTTP Request

    GET http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl

    HTTP Response

    200
  • 142.251.36.14:80
    http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl
    http
    IEXPLORE.EXE
    595 B
    13.3kB
    10
    12

    HTTP Request

    GET http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl

    HTTP Response

    200
  • 142.251.36.14:80
    http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl
    http
    IEXPLORE.EXE
    595 B
    13.3kB
    10
    12

    HTTP Request

    GET http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl

    HTTP Response

    200
  • 142.251.36.1:443
    lh3.googleusercontent.com
    tls
    IEXPLORE.EXE
    529 B
    355 B
    6
    5
  • 142.251.36.1:443
    lh3.googleusercontent.com
    tls
    IEXPLORE.EXE
    529 B
    355 B
    6
    5
  • 216.58.208.110:443
    apis.google.com
    tls
    IEXPLORE.EXE
    519 B
    355 B
    6
    5
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    707 B
    7.6kB
    8
    11
  • 8.8.8.8:53
    support.google.com
    dns
    IEXPLORE.EXE
    64 B
    80 B
    1
    1

    DNS Request

    support.google.com

    DNS Response

    142.251.36.46

  • 8.8.8.8:53
    lh3.googleusercontent.com
    dns
    IEXPLORE.EXE
    71 B
    116 B
    1
    1

    DNS Request

    lh3.googleusercontent.com

    DNS Response

    142.251.36.1

  • 8.8.8.8:53
    storage.googleapis.com
    dns
    IEXPLORE.EXE
    68 B
    196 B
    1
    1

    DNS Request

    storage.googleapis.com

    DNS Response

    142.251.36.16
    142.251.39.112
    172.217.168.208
    216.58.214.16
    142.250.179.144
    142.251.36.48
    142.250.179.176
    142.250.179.208

  • 8.8.8.8:53
    apis.google.com
    dns
    IEXPLORE.EXE
    61 B
    98 B
    1
    1

    DNS Request

    apis.google.com

    DNS Response

    216.58.208.110

  • 8.8.8.8:53
    crls.pki.goog
    dns
    IEXPLORE.EXE
    59 B
    106 B
    1
    1

    DNS Request

    crls.pki.goog

    DNS Response

    142.251.36.14

  • 8.8.8.8:53
    crls.pki.goog
    dns
    IEXPLORE.EXE
    59 B
    106 B
    1
    1

    DNS Request

    crls.pki.goog

    DNS Response

    142.251.36.14

  • 8.8.8.8:53
    crls.pki.goog
    dns
    IEXPLORE.EXE
    59 B
    106 B
    1
    1

    DNS Request

    crls.pki.goog

    DNS Response

    142.251.36.14

  • 8.8.8.8:53
    crls.pki.goog
    dns
    IEXPLORE.EXE
    59 B
    106 B
    1
    1

    DNS Request

    crls.pki.goog

    DNS Response

    142.251.36.14

  • 8.8.8.8:53
    www.microsoft.com
    dns
    iexplore.exe
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    173.223.113.131

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2031ab374af55b755217bde2cf093008

    SHA1

    89902f654d577c7a89381fa488c31872348085b0

    SHA256

    05b2471e39661682f37af4fd8212837d44715f74c4b839211803cc51a0d2bce7

    SHA512

    b125ddd3d99f214859e9e51d55d4aea480aebba9ea318d3e1f3992457040bbc1086d7a5203d2922639f32996d3baf5edf0a1f5b296b47123c0aec69f28a4c7d8

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

    Filesize

    5KB

    MD5

    f74fd5633b2e7a2c891e8362adf7dc20

    SHA1

    f5dfb80b6c1614457bfecea5feaede10f57a15f8

    SHA256

    b63121caffb7a879b4a11d0431f86b60f157737d3b68ce9443422f4e3df45c6d

    SHA512

    489e6c6e9da5ac0f1d655cc79860d2a6501728df96b82a86e15e725eebd0fe0877cbe9f4e90e54e6dee4b5526dffd26785131ebfe6e9a2c38bd804e35ebe7418

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZBIV112E.txt

    Filesize

    608B

    MD5

    046fe2d07fb48fe1c81434cf6d019874

    SHA1

    58042d0d4b234cafa678b29c5fb72105be579107

    SHA256

    43d0e5062f18635ed799f7217c3bd9d3113ef9336b5192072673b765164d77fb

    SHA512

    75bc757fec4e6e448665fcf857b0d6fd83f4d1dd08ad88fe8a21a723d5ff3308875b9a8483fb53b666280d2d9bb48b8385ae4e76e76c03553312c669decc97d6

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.