Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-11-2024 15:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc1
Resource
win11-20241007-en
General
-
Target
https://drive.google.com/file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc1
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 drive.google.com 5 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3372 msedge.exe 3372 msedge.exe 3412 msedge.exe 3412 msedge.exe 1876 msedge.exe 1876 msedge.exe 4808 identity_helper.exe 4808 identity_helper.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe 3412 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3412 wrote to memory of 2936 3412 msedge.exe 79 PID 3412 wrote to memory of 2936 3412 msedge.exe 79 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 2772 3412 msedge.exe 80 PID 3412 wrote to memory of 3372 3412 msedge.exe 81 PID 3412 wrote to memory of 3372 3412 msedge.exe 81 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82 PID 3412 wrote to memory of 1948 3412 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc11⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff70493cb8,0x7fff70493cc8,0x7fff70493cd82⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:22⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8804746038173793795,4492476719881169542,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5800 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1080
Network
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A142.250.187.206
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEbg.microsoft.map.fastly.netbg.microsoft.map.fastly.netIN A199.232.210.172bg.microsoft.map.fastly.netIN A199.232.214.172
-
Remote address:8.8.8.8:53Requestfonts.googleapis.comIN AResponsefonts.googleapis.comIN A142.250.178.10
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request227.16.217.172.in-addr.arpaIN PTRResponse227.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f31e100net227.16.217.172.in-addr.arpaIN PTRmad08s04-in-f3�H
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.13
-
GEThttps://drive.google.com/file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc1msedge.exeRemote address:142.250.187.206:443RequestGET /file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc1 HTTP/2.0
host: drive.google.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Request206.187.250.142.in-addr.arpaIN PTRResponse206.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f141e100net
-
Remote address:8.8.8.8:53Requestdocs.google.comIN AResponsedocs.google.comIN A172.217.169.78
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.23.210.88a767.dspw65.akamai.netIN A2.23.210.83
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestfonts.gstatic.comIN AResponsefonts.gstatic.comIN A142.250.200.35
-
Remote address:8.8.8.8:53Request78.169.217.172.in-addr.arpaIN PTRResponse78.169.217.172.in-addr.arpaIN PTRlhr48s09-in-f141e100net
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request35.200.250.142.in-addr.arpaIN PTRResponse35.200.250.142.in-addr.arpaIN PTRlhr48s30-in-f31e100net
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdwus21.westus.cloudapp.azure.comonedscolprdwus21.westus.cloudapp.azure.comIN A20.189.173.27
-
Remote address:172.217.16.227:443RequestGET /images/branding/googlelogo/1x/googlelogo_color_116x41dp.png HTTP/2.0
host: ssl.gstatic.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://drive.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:172.217.16.227:443RequestGET /images/branding/product/1x/drive_2020q4_32dp.png HTTP/2.0
host: ssl.gstatic.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://drive.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:172.217.169.78:443RequestGET /favicon.ico HTTP/2.0
host: docs.google.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://drive.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=uedBo87atpYDAyBGtfVwo89HdvMAJSEOlSbqYpAomf9gUVM__8HdcytZrNplN-S93VPVNViA786QHbqTvcCDV3A5_j5wKPx2-ufhMKeXxMLGC7d8m4IJfpnCKGbcxhtcIqYMBgwxC8jjgZodhPSR17dW5x8ryAbgBI4WBdu23hodV7A6
-
142.250.187.206:443https://drive.google.com/file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc1tls, http2msedge.exe2.2kB 10.7kB 21 23
HTTP Request
GET https://drive.google.com/file/d/16FjWtA49scMZ-JdUY5su-xaUH4ZxvakE/view?usp=sharing_eip&ts=67322bc1 -
172.217.16.227:443https://ssl.gstatic.com/images/branding/product/1x/drive_2020q4_32dp.pngtls, http2msedge.exe2.3kB 9.9kB 22 24
HTTP Request
GET https://ssl.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_116x41dp.pngHTTP Request
GET https://ssl.gstatic.com/images/branding/product/1x/drive_2020q4_32dp.png -
2.1kB 8.8kB 18 20
HTTP Request
GET https://docs.google.com/favicon.ico
-
412 B 768 B 6 6
DNS Request
drive.google.com
DNS Response
142.250.187.206
DNS Request
ctldl.windowsupdate.com
DNS Response
199.232.210.172199.232.214.172
DNS Request
fonts.googleapis.com
DNS Response
142.250.178.10
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
227.16.217.172.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.13
-
204 B 473 B 3 3
DNS Request
206.187.250.142.in-addr.arpa
DNS Request
docs.google.com
DNS Response
172.217.169.78
DNS Request
ctldl.windowsupdate.com
DNS Response
2.23.210.882.23.210.83
-
279 B 506 B 4 4
DNS Request
67.31.126.40.in-addr.arpa
DNS Request
fonts.gstatic.com
DNS Response
142.250.200.35
DNS Request
78.169.217.172.in-addr.arpa
DNS Request
13.227.111.52.in-addr.arpa
-
223 B 433 B 3 3
DNS Request
172.210.232.199.in-addr.arpa
DNS Request
35.200.250.142.in-addr.arpa
DNS Request
self.events.data.microsoft.com
DNS Response
20.189.173.27
-
3.1kB 5.9kB 6 7
-
524 B 8
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e1544690d41d950f9c1358068301cfb5
SHA1ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA25653d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA5121e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da
-
Filesize
152B
MD59314124f4f0ad9f845a0d7906fd8dfd8
SHA10d4f67fb1a11453551514f230941bdd7ef95693c
SHA256cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA51287b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85
-
Filesize
1KB
MD5a7e3df5f876752af36e8ab8c9889bf55
SHA14d38530ed2e359169e662a70f2101fac4828bab5
SHA256134289d94c869fe21ae467096af713c994221ea703a3f1f94fe4112aba10202c
SHA512591eaf98f5342ed22902fe90fcc32a20c15132d36b3f22a5a6002e217ce5981121f1f1176260b24b65da16990e1c5f4801c686f04c2c84c39f2970d87409228a
-
Filesize
5KB
MD50d996828c006f2f4e5830ad5e4a9bada
SHA13cc792d5e1561d89d8c303e162f60126f0432b63
SHA25685d02a55283f28e0e5dc4d66c13f4c4c6d5672b6b6adf013aeaa6059bd287d23
SHA512e6e758710ca992373e5a269705ea526d1cae92917ee91ae920ea5a8bb93e7d06ccf1ab1b75b106859b954c828186fc32174c714bbfa072b0ba8126213cd611cc
-
Filesize
6KB
MD573f9a5361791763ebcddb519edbe9863
SHA11ab19e2589774f7388f10c1b50215d88bf302465
SHA25624bd03d55f7559dcb80c05b9fa475554230e590516aee78c91d068e5bc416769
SHA512fffd9cf1dfc68bc72e04f66db70b294f205795ae98b77dc6aa0c15bccac9517b05dc50a3f6ecd6d273f22539aadc16a0c59cd725b08d436c91df8b6624d4533c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5637bc302e3803a178b158c2da32ec00e
SHA13fb27b86bb7dbe5ce5465a4a6e4536a8441bb8a3
SHA256b40e7bd9278d01601ad24961201c0b502bf6eb901b83f491215bbd5ea07a2cc2
SHA5127b2e84f50e2bb0a5dc91c4e8f027b2c3a1d0e5939a42bcdcf426bd16d0d916d1eebaa5d703b5a48862a4ed35899c92725b2640eb824bc56851e27726be75c789