Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    17/07/2023, 03:13 UTC

General

  • Target

    classroom.html

  • Size

    517B

  • MD5

    ff28760867f416f792f570022ac87974

  • SHA1

    01b2dd0349eb737ea3d43be36e0f610ddb7eb70a

  • SHA256

    cc055d1486aa3f323ee3a22ee16e343619b98e538b5cf7ff960bc53e0deb72e0

  • SHA512

    829f8cd106f8532cc7c5a477d68c9aeb440af3937ced4d82d49289fce786f64233dbff9d722f8d47d5b8eb0714e49832f53053041ec3e27345ff1ac345fcd0c3

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\classroom.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2620

Network

  • flag-us
    DNS
    apis.google.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    apis.google.com
    IN A
    Response
    apis.google.com
    IN CNAME
    plus.l.google.com
    plus.l.google.com
    IN A
    172.217.23.206
  • flag-de
    GET
    https://apis.google.com/js/platform.js
    IEXPLORE.EXE
    Remote address:
    172.217.23.206:443
    Request
    GET /js/platform.js HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: apis.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Type: text/javascript
    Access-Control-Allow-Origin: *
    Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/gapi-team
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="gapi-team"
    Report-To: {"group":"gapi-team","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gapi-team"}]}
    Timing-Allow-Origin: *
    Date: Mon, 17 Jul 2023 03:14:58 GMT
    Expires: Mon, 17 Jul 2023 03:14:58 GMT
    Cache-Control: private, max-age=1800, stale-while-revalidate=1800
    ETag: "350a26909a9a3486"
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-de
    GET
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs
    IEXPLORE.EXE
    Remote address:
    172.217.23.206:443
    Request
    GET /_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: apis.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Encoding: gzip
    Access-Control-Allow-Origin: *
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access"
    Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]}
    Content-Length: 54704
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 13 Jul 2023 18:53:18 GMT
    Expires: Fri, 12 Jul 2024 18:53:18 GMT
    Cache-Control: public, max-age=31536000
    Age: 289300
    Last-Modified: Tue, 06 Jun 2023 15:25:44 GMT
    Content-Type: text/javascript; charset=UTF-8
    Vary: Accept-Encoding
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-de
    GET
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=auth/exm=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_1?le=scs
    IEXPLORE.EXE
    Remote address:
    172.217.23.206:443
    Request
    GET /_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=auth/exm=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_1?le=scs HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: apis.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Encoding: gzip
    Access-Control-Allow-Origin: *
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access"
    Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]}
    Content-Length: 34445
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 15 Jul 2023 19:34:00 GMT
    Expires: Sun, 14 Jul 2024 19:34:00 GMT
    Cache-Control: public, max-age=31536000
    Age: 114058
    Last-Modified: Tue, 06 Jun 2023 15:25:44 GMT
    Content-Type: text/javascript; charset=UTF-8
    Vary: Accept-Encoding
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-de
    GET
    https://apis.google.com/js/rpc:shindig_random.js?onload=init
    IEXPLORE.EXE
    Remote address:
    172.217.23.206:443
    Request
    GET /js/rpc:shindig_random.js?onload=init HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Referer: https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: apis.google.com
    Connection: Keep-Alive
    Cookie: NID=511=A1mO3AkcupSvTCUnAdwOJ3p9kfQ-EpexmR6yLR4GQW2ScezAF_qOeucCe897SI8CNdwIucQPfuBb_L7CSAgO_N2KWM2oca0coxbGK5IKNeuy87a1LyBZQVvNpAwhkm4XQaAMftnhqv9manB1zp3NXZwM18FejE4oE9hw8HODKvs
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Type: text/javascript
    Access-Control-Allow-Origin: *
    Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/gapi-team
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="gapi-team"
    Report-To: {"group":"gapi-team","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gapi-team"}]}
    Timing-Allow-Origin: *
    Date: Mon, 17 Jul 2023 03:15:01 GMT
    Expires: Mon, 17 Jul 2023 03:15:01 GMT
    Cache-Control: private, max-age=1800, stale-while-revalidate=1800
    ETag: "f506aa030db91aa0"
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-de
    GET
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=rpc,shindig_random/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs
    IEXPLORE.EXE
    Remote address:
    172.217.23.206:443
    Request
    GET /_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=rpc,shindig_random/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Referer: https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: apis.google.com
    Connection: Keep-Alive
    Cookie: NID=511=A1mO3AkcupSvTCUnAdwOJ3p9kfQ-EpexmR6yLR4GQW2ScezAF_qOeucCe897SI8CNdwIucQPfuBb_L7CSAgO_N2KWM2oca0coxbGK5IKNeuy87a1LyBZQVvNpAwhkm4XQaAMftnhqv9manB1zp3NXZwM18FejE4oE9hw8HODKvs
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Encoding: gzip
    Access-Control-Allow-Origin: *
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access"
    Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]}
    Content-Length: 22860
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 15 Jul 2023 09:21:07 GMT
    Expires: Sun, 14 Jul 2024 09:21:07 GMT
    Cache-Control: public, max-age=31536000
    Last-Modified: Tue, 06 Jun 2023 15:25:44 GMT
    Content-Type: text/javascript; charset=UTF-8
    Vary: Accept-Encoding
    Age: 150834
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    classroom.google.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    classroom.google.com
    IN A
    Response
    classroom.google.com
    IN A
    142.251.36.46
  • flag-nl
    GET
    https://classroom.google.com/sharewidget?usegapi=1&url=%24VIDEO_URL%24&body=test&origin=file%3A%2F%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    IEXPLORE.EXE
    Remote address:
    142.251.36.46:443
    Request
    GET /sharewidget?usegapi=1&url=%24VIDEO_URL%24&body=test&origin=file%3A%2F%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: classroom.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
    Expires: Mon, 17 Jul 2023 03:15:00 GMT
    Date: Mon, 17 Jul 2023 03:15:00 GMT
    Cache-Control: private, max-age=86400
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport
    Content-Security-Policy: script-src 'nonce-9DVjEIShX4N1Clfcdxck8A' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://classroom.google.com/cspreport
    Cross-Origin-Resource-Policy: same-site
    Cross-Origin-Opener-Policy: same-origin
    Content-Encoding: gzip
    Server: ESF
    X-XSS-Protection: 0
    X-Content-Type-Options: nosniff
    Set-Cookie: NID=511=A1mO3AkcupSvTCUnAdwOJ3p9kfQ-EpexmR6yLR4GQW2ScezAF_qOeucCe897SI8CNdwIucQPfuBb_L7CSAgO_N2KWM2oca0coxbGK5IKNeuy87a1LyBZQVvNpAwhkm4XQaAMftnhqv9manB1zp3NXZwM18FejE4oE9hw8HODKvs; expires=Tue, 16-Jan-2024 03:15:00 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-us
    DNS
    accounts.google.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    accounts.google.com
    IN A
    Response
    accounts.google.com
    IN A
    142.251.36.45
  • flag-nl
    GET
    https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    IEXPLORE.EXE
    Remote address:
    142.251.36.45:443
    Request
    GET /o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: accounts.google.com
    Connection: Keep-Alive
    Cookie: NID=511=A1mO3AkcupSvTCUnAdwOJ3p9kfQ-EpexmR6yLR4GQW2ScezAF_qOeucCe897SI8CNdwIucQPfuBb_L7CSAgO_N2KWM2oca0coxbGK5IKNeuy87a1LyBZQVvNpAwhkm4XQaAMftnhqv9manB1zp3NXZwM18FejE4oE9hw8HODKvs
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 17 Jul 2023 03:15:01 GMT
    Content-Security-Policy: script-src 'nonce--Y4dWE7rRjxb3WicsCauTA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /o/cspreport
    Content-Encoding: gzip
    Server: ESF
    X-XSS-Protection: 0
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-us
    DNS
    ssl.gstatic.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    ssl.gstatic.com
    IN A
    Response
    ssl.gstatic.com
    IN A
    172.217.23.195
  • flag-de
    GET
    https://ssl.gstatic.com/accounts/o/3698212825-postmessagerelay.js
    IEXPLORE.EXE
    Remote address:
    172.217.23.195:443
    Request
    GET /accounts/o/3698212825-postmessagerelay.js HTTP/1.1
    Accept: application/javascript, */*;q=0.8
    Referer: https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: ssl.gstatic.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Encoding: gzip
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/federated-signon-mpm-access
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="federated-signon-mpm-access"
    Report-To: {"group":"federated-signon-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/federated-signon-mpm-access"}]}
    Content-Length: 5184
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sun, 16 Jul 2023 15:45:49 GMT
    Expires: Mon, 15 Jul 2024 15:45:49 GMT
    Cache-Control: public, max-age=31536000
    Last-Modified: Thu, 13 Jul 2023 00:13:48 GMT
    Content-Type: text/javascript
    Vary: Accept-Encoding
    Age: 41352
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-nl
    GET
    https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    IEXPLORE.EXE
    Remote address:
    142.251.36.45:443
    Request
    GET /o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: accounts.google.com
    Connection: Keep-Alive
    Cookie: NID=511=A1mO3AkcupSvTCUnAdwOJ3p9kfQ-EpexmR6yLR4GQW2ScezAF_qOeucCe897SI8CNdwIucQPfuBb_L7CSAgO_N2KWM2oca0coxbGK5IKNeuy87a1LyBZQVvNpAwhkm4XQaAMftnhqv9manB1zp3NXZwM18FejE4oE9hw8HODKvs
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 17 Jul 2023 03:16:03 GMT
    Content-Security-Policy: script-src 'nonce-Qey9yXv8MlJXvOO7kzikCg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /o/cspreport
    Content-Encoding: gzip
    Server: ESF
    X-XSS-Protection: 0
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • flag-nl
    GET
    https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    IEXPLORE.EXE
    Remote address:
    142.251.36.45:443
    Request
    GET /o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: accounts.google.com
    Connection: Keep-Alive
    Cookie: NID=511=A1mO3AkcupSvTCUnAdwOJ3p9kfQ-EpexmR6yLR4GQW2ScezAF_qOeucCe897SI8CNdwIucQPfuBb_L7CSAgO_N2KWM2oca0coxbGK5IKNeuy87a1LyBZQVvNpAwhkm4XQaAMftnhqv9manB1zp3NXZwM18FejE4oE9hw8HODKvs
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 17 Jul 2023 03:17:05 GMT
    Content-Security-Policy: script-src 'nonce-paABWMLJKMNZmdfwlK8v1w' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /o/cspreport
    Content-Encoding: gzip
    Server: ESF
    X-XSS-Protection: 0
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Transfer-Encoding: chunked
  • 172.217.23.206:443
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs
    tls, http
    IEXPLORE.EXE
    3.0kB
    88.0kB
    44
    70

    HTTP Request

    GET https://apis.google.com/js/platform.js

    HTTP Response

    200

    HTTP Request

    GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs

    HTTP Response

    200
  • 172.217.23.206:443
    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=rpc,shindig_random/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs
    tls, http
    IEXPLORE.EXE
    4.1kB
    75.8kB
    39
    62

    HTTP Request

    GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=auth/exm=sharetoclassroom/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_1?le=scs

    HTTP Response

    200

    HTTP Request

    GET https://apis.google.com/js/rpc:shindig_random.js?onload=init

    HTTP Response

    200

    HTTP Request

    GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.5o5-TAFr18s.O/m=rpc,shindig_random/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ/cb=gapi.loaded_0?le=scs

    HTTP Response

    200
  • 142.251.36.46:443
    classroom.google.com
    tls
    IEXPLORE.EXE
    757 B
    4.8kB
    10
    9
  • 142.251.36.46:443
    https://classroom.google.com/sharewidget?usegapi=1&url=%24VIDEO_URL%24&body=test&origin=file%3A%2F%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    tls, http
    IEXPLORE.EXE
    1.4kB
    7.0kB
    12
    14

    HTTP Request

    GET https://classroom.google.com/sharewidget?usegapi=1&url=%24VIDEO_URL%24&body=test&origin=file%3A%2F%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__

    HTTP Response

    200
  • 142.251.36.45:443
    accounts.google.com
    tls
    IEXPLORE.EXE
    756 B
    4.8kB
    10
    9
  • 142.251.36.45:443
    https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    tls, http
    IEXPLORE.EXE
    1.5kB
    6.2kB
    11
    13

    HTTP Request

    GET https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__

    HTTP Response

    200
  • 172.217.23.195:443
    https://ssl.gstatic.com/accounts/o/3698212825-postmessagerelay.js
    tls, http
    IEXPLORE.EXE
    1.4kB
    11.9kB
    12
    14

    HTTP Request

    GET https://ssl.gstatic.com/accounts/o/3698212825-postmessagerelay.js

    HTTP Response

    200
  • 172.217.23.195:443
    ssl.gstatic.com
    tls
    IEXPLORE.EXE
    752 B
    4.8kB
    10
    9
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    799 B
    7.7kB
    10
    13
  • 142.251.36.45:443
    accounts.google.com
    tls
    IEXPLORE.EXE
    523 B
    355 B
    6
    5
  • 142.251.36.45:443
    https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    tls, http
    IEXPLORE.EXE
    1.4kB
    1.9kB
    10
    10

    HTTP Request

    GET https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__

    HTTP Response

    200
  • 142.251.36.45:443
    https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__
    tls, http
    IEXPLORE.EXE
    1.2kB
    1.9kB
    7
    8

    HTTP Request

    GET https://accounts.google.com/o/oauth2/postmessageRelay?parent=file%3A%2F%2F&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.lb.en.5o5-TAFr18s.O%2Fd%3D1%2Frs%3DAHpOoo_qgszOsFrBH7bZ1Rmfwa9Mc03wLQ%2Fm%3D__features__

    HTTP Response

    200
  • 142.251.36.45:443
    accounts.google.com
    tls
    IEXPLORE.EXE
    431 B
    315 B
    4
    4
  • 8.8.8.8:53
    apis.google.com
    dns
    IEXPLORE.EXE
    61 B
    98 B
    1
    1

    DNS Request

    apis.google.com

    DNS Response

    172.217.23.206

  • 8.8.8.8:53
    classroom.google.com
    dns
    IEXPLORE.EXE
    66 B
    82 B
    1
    1

    DNS Request

    classroom.google.com

    DNS Response

    142.251.36.46

  • 8.8.8.8:53
    accounts.google.com
    dns
    IEXPLORE.EXE
    65 B
    81 B
    1
    1

    DNS Request

    accounts.google.com

    DNS Response

    142.251.36.45

  • 8.8.8.8:53
    ssl.gstatic.com
    dns
    IEXPLORE.EXE
    61 B
    77 B
    1
    1

    DNS Request

    ssl.gstatic.com

    DNS Response

    172.217.23.195

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b1947f0f0d5c22c0486cfcf574e38e45

    SHA1

    53529c5e7bfda72c7b708d0222e5e01d0bb7f268

    SHA256

    038b65065b1638a33ff60834ca5a8424304f829bf6aa95c2ed74d153bf88784f

    SHA512

    d3bf09dbf13adbf2895284270e38507e88028f5d2d9b68ace82b5d52cf916f2a6891a4c80b703a92d1fd5f4dd8723dad907c8afc4dcec25df333295a84592269

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5fa75282e5d5dbd79542a21ea9d412fa

    SHA1

    a0d7977473899ffcfc9aae7e96f682f48bcace78

    SHA256

    856e0b7aa84709cb87741db3877e7ad81b4aad803e5b2ffbe6aa88539048e5f7

    SHA512

    d0069e14b101ac2583e43c1b67faf6eda09cf037325f544c9ed3cca0458aa05552a65a9ec6d38423d53a8e43b2a6aac32da945fe646b60c4823640db45860584

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bc1373edeb6302548efb3acc71e0917b

    SHA1

    15109fa0a13afbd8431daff57201cf66ddc474e1

    SHA256

    712d01e1f7b36522999542ed12bd2dc2e670424c266843741e8dbb62d51b6851

    SHA512

    900c5532e6d0b7613ebd95f6f5ad252c8fa293f374adb977bf2b7d63de73a3a89ce7021e59421e1dec8c565bc79abb60afe09e5756329558429e101d2d21985c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    048d541b37ae783a04b2277f6df57b2c

    SHA1

    407346854b72ecd71c29c8f6104b2432ffc4a658

    SHA256

    ad39092c3ea3dca6f1e5d70f06c85b136fe834fa7743270b6f0659ec6514feec

    SHA512

    7ca73c543772fb12a4c8563cb08cac0b28689511ed51378e859fc8514b18e99490d24166f8b2454aa4c8b10d6a66ca243dc91738a54f229deaa23c8f34901928

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b57e252104b1bdf914859a68b471bcb7

    SHA1

    30149d7e856bc24f3029351210aca0bc590207a0

    SHA256

    af17b82005b46cfd85f901762f04459320ec7a343c581e2e45635859d25b7153

    SHA512

    f3caf990b3b3adb5a6ecb58008144fa66b1537e351c72553acbeffa3cac5ed66f687e327952198f34ecb2a6b1f0a1423feb237de1be25d3ec19fd1c0904066d1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    64b35c7a3ddd640a5de17a3f65c7ab72

    SHA1

    b592183d05e87c58898949aee3d8c8ce02ae8e8d

    SHA256

    1ac282aa8771f41252068eccb2672798035c8145c96e604d426768009b6fdb49

    SHA512

    d308aba9baa468f0fc3a2999a568d70990782c574d5e8e5c499d34116499d5a4b0ac9785502caf16be42d94441a93edb3a4ecfe07e5efe734eff680cb28cbb7d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d49010dddc599a547f19bcd5df61eceb

    SHA1

    a99d50f34311c5c5e97ded16da61dcccc29854de

    SHA256

    0cc779be9f9392e5a76abbd8ba1357250498fbe6054c394a6528e7d124f3b5b3

    SHA512

    8dc444b6fcaed6f4ba2ee900d4c42a2bf40e882c27676cb87859abbe9c8025d62841de392f995f289d38d15ccddc5369fa0aedd6d2731a6991f10feac7d6b945

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    040adb3db905299b623e9ba63fb3012e

    SHA1

    fe6191101a80c7511aae366f43165c829380f1ec

    SHA256

    12fd6752f809ba2309839d124014a38705029453001374cf4c095b936b8f23e8

    SHA512

    0786c45fcedea1608ef0cc306be62cd7d491306693518bd13c93d83275957b7219c6114f21d97706065ba3c0a40a68ebfa179e8a1c77605d194a573892d490b6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    c7907da7aa4cb7c2178f45e755e6d586

    SHA1

    8f517a4acfeb62a9693e3143d1b161cefc14c98a

    SHA256

    76282a4b0e4d85c31f0a63a1b9d63aadf3d01f2c03ccd9e8cd9f043e81b70900

    SHA512

    142ae9937e22d70f29baa23da242d8686aadb58638762eeb91c28c37eb6b0033b37642c51f982a64085b2eb719cc768b59f57c3989cac2ddb4bd431b426cc5ca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SBJDRU3\rpc_shindig_random[1].js

    Filesize

    17KB

    MD5

    0ac770aa6d065c4f7ea98177e9420420

    SHA1

    ac286099bb09b1b3777c23d662282cb7c1fa1bfb

    SHA256

    fbd9a7627b8eee732c7f1393a8736593b27824b706046f38c4a444093165e561

    SHA512

    7f565af0595892c9737e61243194bd721657416227c18dfaa3e62e2fafa2f1b0a7a12ec0b4af7885e0d2e607006c46c87660e3d2c9fe2d6117e5ef567a3277b4

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJMXAU3H\3698212825-postmessagerelay[1].js

    Filesize

    12KB

    MD5

    e89f3c34bd849d5b959045facdced264

    SHA1

    6a4ed30e37cf844b1f56d5d81dc6dfec1c611476

    SHA256

    37acf5f6aa181790c9f46f7a25b5c89ecc46c35603b9b62c3086228faf72b26d

    SHA512

    2049d0baf05f0a8214fefe3abb2b4c6e104dda723d2feb439313114922887045cdabb08e3cffb5a624dc13a3c0b2fdf28114098b8c8ccfc3555ea43f19f20f7b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJMXAU3H\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O5N1CMJ9\cb=gapi[1].js

    Filesize

    63KB

    MD5

    8448c1eb40e855ff3b5de9fd4513d933

    SHA1

    fc2bb63a7d81e649a78408f942d1b5367485e349

    SHA256

    63aaa2777db39521dafa0ba3815720599151adb12b4105f8848f597f97918d83

    SHA512

    b6608b64d71e94ecd68566f118708926af490c5f9f46cd051d1c6895b69bfc88a37171d47df8d00a4b157cd3afc57538260842e92cfd062bad819051c283d5be

  • C:\Users\Admin\AppData\Local\Temp\CabE765.tmp

    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

  • C:\Users\Admin\AppData\Local\Temp\TarE766.tmp

    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ABA192DN.txt

    Filesize

    608B

    MD5

    c8bde4365ecf6ebcf6d197c22956b899

    SHA1

    0382f9c413b2dac017e3ef9378de1c7ee0d7f2b1

    SHA256

    0025274008224a3cdb82464edbf23ec6d6d5243834e1eb052fe18f7b592d6f33

    SHA512

    07d266d4e901203f23d7cffe7dbcafd32029e53ab7eccbff007d6a9686f11e99498d7de3eb931fde9007a8491f9b0dc5b2da9b1418f6bb05d65ad92bb8cff8e9

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.