hxxps://drive[.]google[.]com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

Analysis

max time kernel
480s
max time network
484s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4444	msedge.exe
4444	msedge.exe
2304	identity_helper.exe
2304	identity_helper.exe
840	msedge.exe
840	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe
4316	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2436	4444	msedge.exe	83
PID 4444 wrote to memory of 2436	4444	msedge.exe	83
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 3652	4444	msedge.exe	84
PID 4444 wrote to memory of 4968	4444	msedge.exe	85
PID 4444 wrote to memory of 4968	4444	msedge.exe	85
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86
PID 4444 wrote to memory of 4372	4444	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade5446f8,0x7ffade544708,0x7ffade544718
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,601629555393118748,711368271297826266,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5204 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

Network

DNS

drive.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

drive.google.com

IN A

Response

drive.google.com

IN A

172.217.168.206
GET

https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

msedge.exe

Remote address:

172.217.168.206:443

Request

GET /uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download HTTP/2.0
host: drive.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

drive.usercontent.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.179.129
GET

https://drive.usercontent.google.com/download?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

msedge.exe

Remote address:

142.250.179.129:443

Request

GET /download?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download HTTP/2.0
host: drive.usercontent.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

206.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.168.217.172.in-addr.arpa

IN PTR

Response

206.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f141e100net
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

129.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.179.250.142.in-addr.arpa

IN PTR

Response

129.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f11e100net
DNS

45.19.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.19.74.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

90.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.65.42.20.in-addr.arpa

IN PTR

Response

172.217.168.206:443

https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

tls, http2

msedge.exe

2.3kB
9.9kB
22
21

HTTP Request

GET https://drive.google.com/uc?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download
142.250.179.129:443

https://drive.usercontent.google.com/download?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

tls, http2

msedge.exe

6.5kB
261.7kB
113
202

HTTP Request

GET https://drive.usercontent.google.com/download?id=12WBT8qXg0FZyiIfnQfimIrN-sUpoTREP&export=download

8.8.8.8:53

drive.google.com

dns

msedge.exe

62 B
78 B
1
1

DNS Request

drive.google.com

DNS Response

172.217.168.206
8.8.8.8:53

drive.usercontent.google.com

dns

msedge.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.179.129
8.8.8.8:53

206.168.217.172.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.168.217.172.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

129.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

129.179.250.142.in-addr.arpa
224.0.0.251:5353

584 B
9
8.8.8.8:53

45.19.74.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

45.19.74.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

90.65.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

90.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
512B

MD5
6137b0760f0ed2c3fe88d3cfc714e916

SHA1
15cb9bc601bc86ed459284ad66591cd29a8f7dca

SHA256
47592761566b9cb3837c4c24bbc39a3c43890f5024780928a4073e7a6de817d8

SHA512
d28309f2d2065f834ddeed0d2b4505a0f205acb652780ae35eb89f231367823e9751dd2680e8ea5de2effb6ba1a98102fe1480e0d179bff842bc531c0e43675d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7e60cf5777407f9be29a7770575fc58

SHA1
6e59ee306ff2c5ac1e75458214f9eb18a1f80d18

SHA256
384156784ba6a8230ef692428137eb40c07cb950610d9eaee1b4ffedb8025b03

SHA512
68d6ce566d407ab5da921387a8e7100f35fab4a6917065c01b777d831b7796b334115c1e30f340d852477af88d73046187f487ec359271a77b9e421b94f297c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d69450b3581380bd12764f9b38e5854

SHA1
b3ea9c2ab59a3be11fa223bfd86a58c85e17d2f3

SHA256
3f6ceed7963433ee69b99c304bf89bbafeec5c89e5a7b2d4424c7fb1520bc977

SHA512
8e7d6cba1cb715f06d23dd2d684654eb14f38ca793d929ee00512a8659668d36743d73e1b6cb782ab2454b9345cbbb36c1bb1ca2d29168c1529f20192876a2fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
305e4caa24a43c1077f070914e7d5daa

SHA1
aee78368917fa8c0586af8c4c84d7a6533bce8b6

SHA256
a2e68dc3500752508bba0837972a2d6348b92e37911b772fa97763e3d5272b1c

SHA512
730ba098376a83091f893fdc43ab242c0a9776889788c8d0ebf3dff1b039c6950b1adea7d439d093ce0eca19a4baa2b54f3126b669f94bf6118d025b1d1a361e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6b2b69eb14b093b80202a709f6f1bae1

SHA1
40fa287391204bafdadad187c35cf442ccabb287

SHA256
17077242f0eb94ab4d7b8b917b75d13154f08a786a8b4c00af13f4fe313b897a

SHA512
f388e5850be04b4c6d1f9330306eca864d2330eabcfee5311720cb84758e9f90a454429eb1add953031e0d4e8aea83db79baa7cea6bb4836ad145fa1875b2193

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.