Analysis
-
max time kernel
1017s -
max time network
965s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 16:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=1
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=1
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 drive.google.com 11 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1552 msedge.exe 1552 msedge.exe 3956 msedge.exe 3956 msedge.exe 3476 identity_helper.exe 3476 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe 3956 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3956 wrote to memory of 3624 3956 msedge.exe 83 PID 3956 wrote to memory of 3624 3956 msedge.exe 83 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 4292 3956 msedge.exe 84 PID 3956 wrote to memory of 1552 3956 msedge.exe 85 PID 3956 wrote to memory of 1552 3956 msedge.exe 85 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86 PID 3956 wrote to memory of 536 3956 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=11⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8344446f8,0x7ff834444708,0x7ff8344447182⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16172175708095903774,9979879512021932165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 /prefetch:22⤵PID:3628
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2844
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3324
Network
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A142.250.187.206
-
GEThttps://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=1msedge.exeRemote address:142.250.187.206:443RequestGET /file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=1 HTTP/2.0
host: drive.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A64.233.167.84
-
GEThttps://accounts.google.com/signin/collaboratoraccount?continue=https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&hl=en_GB&atu=110527763705614640555msedge.exeRemote address:64.233.167.84:443RequestGET /signin/collaboratoraccount?continue=https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&hl=en_GB&atu=110527763705614640555 HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=i2mh1RSCU90W2ObLMLssUm6LXaOqk8jlyaXVMNEdbO5UUbgzS3N6G4oHIU1gW3xzmcrdZ7760qY22vjsq4WvwRB0EW8Jjb-A8JNCmOKlPiF3Bn1RvI6-ECsl94h-NkXauaMenKxEeRuEEA5BQ-Yhd1Wpf_kcTG8-NKoSvnLBqo6Yrf8
-
GEThttps://accounts.google.com/v3/signin/challenge/ipe/consent?TL=AKOx4s3xsLqKnlSxy61jlyMCiXqZUJh9ABZF94WoPvVwoB1uJwLCTupzOHAO0YK9&atu=110527763705614640555&cid=1&continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm%2Fview%3Fusp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&flowName=GlifWebSignIn&hl=en_GB&flowEntry=CollabAccountmsedge.exeRemote address:64.233.167.84:443RequestGET /v3/signin/challenge/ipe/consent?TL=AKOx4s3xsLqKnlSxy61jlyMCiXqZUJh9ABZF94WoPvVwoB1uJwLCTupzOHAO0YK9&atu=110527763705614640555&cid=1&continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm%2Fview%3Fusp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&flowName=GlifWebSignIn&hl=en_GB&flowEntry=CollabAccount HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=i2mh1RSCU90W2ObLMLssUm6LXaOqk8jlyaXVMNEdbO5UUbgzS3N6G4oHIU1gW3xzmcrdZ7760qY22vjsq4WvwRB0EW8Jjb-A8JNCmOKlPiF3Bn1RvI6-ECsl94h-NkXauaMenKxEeRuEEA5BQ-Yhd1Wpf_kcTG8-NKoSvnLBqo6Yrf8
cookie: __Host-GAPS=1:ymbnqPgbKkuEEPk6c_lbrFdYDUsgcQ:b4bjgD3rNV_Jefax
-
Remote address:8.8.8.8:53Request206.187.250.142.in-addr.arpaIN PTRResponse206.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f141e100net
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request84.167.233.64.in-addr.arpaIN PTRResponse84.167.233.64.in-addr.arpaIN PTRwl-in-f841e100net
-
Remote address:8.8.8.8:53Request3.178.250.142.in-addr.arpaIN PTRResponse3.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f31e100net
-
Remote address:8.8.8.8:53Request227.16.217.172.in-addr.arpaIN PTRResponse227.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f31e100net227.16.217.172.in-addr.arpaIN PTRmad08s04-in-f3�H
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.16.228
-
Remote address:172.217.16.228:443RequestGET /favicon.ico HTTP/2.0
host: www.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model:
sec-ch-ua-platform: "Windows"
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=i2mh1RSCU90W2ObLMLssUm6LXaOqk8jlyaXVMNEdbO5UUbgzS3N6G4oHIU1gW3xzmcrdZ7760qY22vjsq4WvwRB0EW8Jjb-A8JNCmOKlPiF3Bn1RvI6-ECsl94h-NkXauaMenKxEeRuEEA5BQ-Yhd1Wpf_kcTG8-NKoSvnLBqo6Yrf8
-
Remote address:8.8.8.8:53Request228.16.217.172.in-addr.arpaIN PTRResponse228.16.217.172.in-addr.arpaIN PTRmad08s04-in-f41e100net228.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f4�H
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A142.250.187.206
-
Remote address:142.250.187.206:443RequestOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request210.143.182.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request210.143.182.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A64.233.167.84
-
142.250.187.206:443https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=1tls, http2msedge.exe2.2kB 10.2kB 20 20
HTTP Request
GET https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp=sharing_eip&ts=67378da0&sh=Z-sGzwd7gGEGHgSf&ca=1 -
64.233.167.84:443https://accounts.google.com/v3/signin/challenge/ipe/consent?TL=AKOx4s3xsLqKnlSxy61jlyMCiXqZUJh9ABZF94WoPvVwoB1uJwLCTupzOHAO0YK9&atu=110527763705614640555&cid=1&continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm%2Fview%3Fusp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&flowName=GlifWebSignIn&hl=en_GB&flowEntry=CollabAccounttls, http2msedge.exe4.7kB 121.8kB 62 104
HTTP Request
GET https://accounts.google.com/signin/collaboratoraccount?continue=https://drive.google.com/file/d/1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm/view?usp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&hl=en_GB&atu=110527763705614640555HTTP Request
GET https://accounts.google.com/v3/signin/challenge/ipe/consent?TL=AKOx4s3xsLqKnlSxy61jlyMCiXqZUJh9ABZF94WoPvVwoB1uJwLCTupzOHAO0YK9&atu=110527763705614640555&cid=1&continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1rdmS1fDaHAYUg-ffOSwekYdrZ2w92icm%2Fview%3Fusp%3Dsharing_eip%26ts%3D67378da0%26sh%3DZ-sGzwd7gGEGHgSf%26ca%3D1&flowName=GlifWebSignIn&hl=en_GB&flowEntry=CollabAccount -
2.3kB 8.0kB 19 16
HTTP Request
GET https://www.google.com/favicon.ico -
142.250.187.206:443https://play.google.com/log?format=json&hasfast=true&authuser=0tls, http2msedge.exe1.9kB 8.5kB 18 20
HTTP Request
OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
142.250.187.206
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
4.159.190.20.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
64.233.167.84
-
74 B 113 B 1 1
DNS Request
206.187.250.142.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 105 B 1 1
DNS Request
84.167.233.64.in-addr.arpa
-
6.1kB 11.1kB 25 27
-
72 B 110 B 1 1
DNS Request
3.178.250.142.in-addr.arpa
-
73 B 140 B 1 1
DNS Request
227.16.217.172.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.16.228
-
73 B 140 B 1 1
DNS Request
228.16.217.172.in-addr.arpa
-
521 B 8
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
142.250.187.206
-
7.1kB 8.4kB 13 15
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
3.2kB 4.0kB 8 10
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
210.143.182.52.in-addr.arpa
DNS Request
210.143.182.52.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
64.233.167.84
-
2.9kB 4.1kB 9 8
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD50c25f9af822b67325335378e8417fe21
SHA1a41276fdad88feb0832ddbffcdbb4f0ab91133be
SHA2567c6e6c681bc56c805d45a06645af94c5eeae232c665aa2daa7c6e19b5b2a95eb
SHA5120eeca4659d9ab3497f94d6295dd8d045d8714b325b757885317eb41909c5447193c9906628fa959ada8b3455d0f8ecdba0440adec6d070a6ec0b65059b463d1e
-
Filesize
1KB
MD5e40759d3c122bc5fb9b6424e6b4ad4aa
SHA1173782c0ae1f7656aea5756350e453002e1126f7
SHA256877f9505ef2e0d53b2848657ff4dd66d32930655ba1c16ef7e75e1812a8db4e7
SHA5123221f7b8bc5d314cc1a0c2d3772eb8f1878bf98c69ec6b16d0fae72de3159abfafed2010c265dbe6252ea868a16f36a401e122d787f89890ea5c76532364eb12
-
Filesize
1KB
MD588c3d4b9fe129c5d14d9ed15c035ea2f
SHA1b8113ae621bfdeb9fcb638af4cc35b94e8cf9725
SHA2564406ef1ca1214b47ce08ae04a496d4f36a3e333fe98212ad43a9e655cfeee6c5
SHA512ed2f9de2cc49574fb94661d2455b5522f38292e5b45d2c55ff4bf8d812c3c33542ec922f23ce3661908a4b6842cf13ae383f360957598edf6dc02ad114d0aba1
-
Filesize
1KB
MD5af40a35cf42629c76ddd38b3b0bbe89f
SHA1153a0982667b96a9d524e7bbd93af32911b86b9e
SHA256de598a643e97edbdf717c4d1f95c98188c0e7d22d97ec3a9da2733e63c4072aa
SHA5128dec49175f3990b2b54e10a6a6e0cdbf1ab63b26a96447b7765001d965b6866a3bdc71ede9af92ea6d3e602790bf0a48e507b4063db6cca27495203827c3aca0
-
Filesize
6KB
MD540ef6b12c5239d804337fbc824607b4a
SHA11ba721bb32efaf98479240fdb2b23fb3e7a9b7e1
SHA25657e783a0e271d7414df5efb2a005860c7dfbd69cb0f787921e30f246d7ec852c
SHA512b5efde479f8df17762eb6e99becfb2a653f415a27f2328d1bc856bed84d64b48b7c05c03673c0799b92f0aa3e59957c3154e73982265487e8e5f02556e579700
-
Filesize
5KB
MD5f14a0b39b43f73c6edbcb1f9d322b210
SHA142d0787aab47f55778c269ce6e8d8309ee66ceb6
SHA256ce9df518a3ca1d7451fe66c7a93e84e8c3a274c5b3143ba56199db5f442dfc85
SHA512b123ce68a1617b36cec517c52b8e2e25dd45f95f437dbf0619c301e5b93d5237d2227ba8425db38343e2435016732f699beb73a889b8ba961f769bc132727524
-
Filesize
6KB
MD51bc4eff0d1ab0b8025b69223c3c72bd3
SHA1481f3c69644daa303707bc549445d2b4a49dfd82
SHA2562d63c81bff5c9576d1d267a7814981e83651f76c6a8dca3f7849814f83e0052f
SHA51287d344e8b5c2f160a042d940628c74ff0481dd1c36642d912dfc915707b778e49ff9a08904fa662579240da4e6ee665b28dd357fca83ed211ca309a8703d9e6b
-
Filesize
199B
MD50e5014f4ddb5fbc73eab2494e670a88c
SHA17cf4bf9eac0f8c5f9b77717a1b24eb394b6a48b1
SHA25623303dc956b1d2321dcb6e3a25ae2db5c769a1106c6bb2f0db887499e7150b84
SHA512ebfec01c54ab9aeccff45c2c7869d7b4af6ac7a0d4f80f839616326816efcf85553ed95b88002879ec6cd5527e2759b0121f6109ef2a4083234f50e78f90c6c2
-
Filesize
203B
MD5e72daf2a62c9f37135f75b73b379abbb
SHA14403c2514a57622f68ab4291c83ea0f50f2a328e
SHA256f87be119d1e2ab635802fe75f33d95b757c06103de542eb99ecaefb525e9cf59
SHA512e7e50037453eb8f1d62cc563af2976bafd466a3cf24d180b0b95d6722651973adb746e2065dc7d1b64ed32d763b9808232aedebbfb184f384dc93783d7e3dcbc
-
Filesize
203B
MD5ace7faa1566b0cf65377421e24a61daf
SHA19a1c3a988a725be51f04166ca5b6c2a8a51a5e2b
SHA256d2d6a6410563db7eea499037ed792962c09c8fb7f13fa2679a1c497fdf719488
SHA51250ef22c8118db6c952a2e0522096a31be53534177b46a8c6bf735a40b2a26e7416aaa1fda670b4248cf54d691006983a824aab67ac98aa7123bd18e172cd9b96
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5e48d3675bfeeb95cda94e72f6dc4276c
SHA1404c6f438fcc94bb58264b0f0a964bb35d474c01
SHA25658ed60c24bca335eab552b8ef5e26c7205ce291e5f36d38cac9460cae79ad8b3
SHA512316e2820afb4ae926123b38e2ecf5e6dc5f56ae56bfcaa46e6d545a644b939f5d2e37b356c54a23febc1a552db900bdfa8dd06aed86816f86a270366c36cb31c