Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 19:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp=drive_web
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp=drive_web
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 drive.google.com 10 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2796 msedge.exe 2796 msedge.exe 3916 msedge.exe 3916 msedge.exe 4964 identity_helper.exe 4964 identity_helper.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe 2744 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 1472 3916 msedge.exe 82 PID 3916 wrote to memory of 1472 3916 msedge.exe 82 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 5080 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 84 PID 3916 wrote to memory of 2796 3916 msedge.exe 84 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp=drive_web1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe662046f8,0x7ffe66204708,0x7ffe662047182⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6247615377247944156,7722483290648064069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:892
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4708
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A142.250.180.14
-
Remote address:142.250.180.14:443RequestGET /file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp=drive_web HTTP/2.0
host: drive.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.180.250.142.in-addr.arpaIN PTRResponse14.180.250.142.in-addr.arpaIN PTRlhr25s32-in-f141e100net
-
Remote address:8.8.8.8:53Request99.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A142.251.173.84
-
GEThttps://accounts.google.com/ServiceLogin?service=wise&passive=1209600&osid=1&continue=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&followup=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_webmsedge.exeRemote address:142.251.173.84:443RequestGET /ServiceLogin?service=wise&passive=1209600&osid=1&continue=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&followup=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=gBoSLpAXZ4OhnWmFJb_lkxZC0JfGrhGyAsJMVWafIXj0PugaR0hwvjr_lYu0s1eqVERrpOKMQcdf4Bjap-ZnXTOkAHaWAo-e4gqHhV5NladGvNeUnZRyKmI4nn9uykuY2y7tRK3OyMqVfQaQ3U4Y20UO3UhZ4usDnYUM21fjbv_BumRQ
-
GEThttps://accounts.google.com/InteractiveLogin?continue=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&followup=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&osid=1&passive=1209600&service=wise&ifkv=AcMMx-eL5EAak4Y1DpEMttd_Z-btglt28ZWU6EA5vA9YwqgYnzpnQtEVDreawkFJ8hDIkk6hP-RZlQmsedge.exeRemote address:142.251.173.84:443RequestGET /InteractiveLogin?continue=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&followup=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&osid=1&passive=1209600&service=wise&ifkv=AcMMx-eL5EAak4Y1DpEMttd_Z-btglt28ZWU6EA5vA9YwqgYnzpnQtEVDreawkFJ8hDIkk6hP-RZlQ HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=gBoSLpAXZ4OhnWmFJb_lkxZC0JfGrhGyAsJMVWafIXj0PugaR0hwvjr_lYu0s1eqVERrpOKMQcdf4Bjap-ZnXTOkAHaWAo-e4gqHhV5NladGvNeUnZRyKmI4nn9uykuY2y7tRK3OyMqVfQaQ3U4Y20UO3UhZ4usDnYUM21fjbv_BumRQ
cookie: __Host-GAPS=1:TflupLZ-LSkcovUJ4yfNBHcW8rTJGQ:iAoaEW6WjA4MCKb5
-
GEThttps://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&followup=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&ifkv=AcMMx-eAwyvrRe5dPh-d-65W2-oJtHx3gHjLdFL71i7RCqiUOQ05ahMrLLbKeJhaMnaz8Ahf0eKmZg&osid=1&passive=1209600&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1860816358%3A1732563801620016&ddm=1msedge.exeRemote address:142.251.173.84:443RequestGET /v3/signin/identifier?continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&followup=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&ifkv=AcMMx-eAwyvrRe5dPh-d-65W2-oJtHx3gHjLdFL71i7RCqiUOQ05ahMrLLbKeJhaMnaz8Ahf0eKmZg&osid=1&passive=1209600&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1860816358%3A1732563801620016&ddm=1 HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=gBoSLpAXZ4OhnWmFJb_lkxZC0JfGrhGyAsJMVWafIXj0PugaR0hwvjr_lYu0s1eqVERrpOKMQcdf4Bjap-ZnXTOkAHaWAo-e4gqHhV5NladGvNeUnZRyKmI4nn9uykuY2y7tRK3OyMqVfQaQ3U4Y20UO3UhZ4usDnYUM21fjbv_BumRQ
cookie: __Host-GAPS=1:TflupLZ-LSkcovUJ4yfNBHcW8rTJGQ:iAoaEW6WjA4MCKb5
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request84.173.251.142.in-addr.arpaIN PTRResponse84.173.251.142.in-addr.arpaIN PTRwi-in-f841e100net
-
Remote address:8.8.8.8:53Request3.178.250.142.in-addr.arpaIN PTRResponse3.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f31e100net
-
Remote address:8.8.8.8:53Request227.16.217.172.in-addr.arpaIN PTRResponse227.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f31e100net227.16.217.172.in-addr.arpaIN PTRmad08s04-in-f3�H
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A142.250.187.206
-
Remote address:142.250.187.206:443RequestOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:142.250.187.206:443RequestOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.16.228
-
Remote address:172.217.16.228:443RequestGET /favicon.ico HTTP/2.0
host: www.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model:
sec-ch-ua-platform: "Windows"
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=519=gBoSLpAXZ4OhnWmFJb_lkxZC0JfGrhGyAsJMVWafIXj0PugaR0hwvjr_lYu0s1eqVERrpOKMQcdf4Bjap-ZnXTOkAHaWAo-e4gqHhV5NladGvNeUnZRyKmI4nn9uykuY2y7tRK3OyMqVfQaQ3U4Y20UO3UhZ4usDnYUM21fjbv_BumRQ
-
Remote address:8.8.8.8:53Request228.16.217.172.in-addr.arpaIN PTRResponse228.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f41e100net228.16.217.172.in-addr.arpaIN PTRmad08s04-in-f4�H
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
142.250.180.14:443https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp=drive_webtls, http2msedge.exe2.0kB 10.1kB 17 18
HTTP Request
GET https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp=drive_web -
142.251.173.84:443https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&followup=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&ifkv=AcMMx-eAwyvrRe5dPh-d-65W2-oJtHx3gHjLdFL71i7RCqiUOQ05ahMrLLbKeJhaMnaz8Ahf0eKmZg&osid=1&passive=1209600&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1860816358%3A1732563801620016&ddm=1tls, http2msedge.exe6.8kB 179.1kB 84 148
HTTP Request
GET https://accounts.google.com/ServiceLogin?service=wise&passive=1209600&osid=1&continue=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&followup=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_webHTTP Request
GET https://accounts.google.com/InteractiveLogin?continue=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&followup=https://drive.google.com/file/d/1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH/view?usp%3Ddrive_web&osid=1&passive=1209600&service=wise&ifkv=AcMMx-eL5EAak4Y1DpEMttd_Z-btglt28ZWU6EA5vA9YwqgYnzpnQtEVDreawkFJ8hDIkk6hP-RZlQHTTP Request
GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&followup=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1uQ5c3FypZ9aeJji0de8wlcQI8CMZ-7yH%2Fview%3Fusp%3Ddrive_web&ifkv=AcMMx-eAwyvrRe5dPh-d-65W2-oJtHx3gHjLdFL71i7RCqiUOQ05ahMrLLbKeJhaMnaz8Ahf0eKmZg&osid=1&passive=1209600&service=wise&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1860816358%3A1732563801620016&ddm=1 -
142.250.187.206:443https://play.google.com/log?format=json&hasfast=true&authuser=0tls, http2msedge.exe2.0kB 8.5kB 17 18
HTTP Request
OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0HTTP Request
OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0 -
989 B 7.6kB 9 9
-
2.1kB 8.0kB 16 16
HTTP Request
GET https://www.google.com/favicon.ico
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
142.250.180.14
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
73 B 112 B 1 1
DNS Request
14.180.250.142.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
99.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
142.251.173.84
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
6.2kB 10.6kB 24 25
-
73 B 106 B 1 1
DNS Request
84.173.251.142.in-addr.arpa
-
73 B 140 B 1 1
DNS Request
227.16.217.172.in-addr.arpa
-
72 B 110 B 1 1
DNS Request
3.178.250.142.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
142.250.187.206
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.16.228
-
9.8kB 10.6kB 23 26
-
73 B 140 B 1 1
DNS Request
228.16.217.172.in-addr.arpa
-
521 B 8
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
4.4kB 4.0kB 8 9
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\689fe1f6-0be3-4c27-a878-6a1245369071.tmp
Filesize1KB
MD5f6a7301a388809e2dcf8f764ea2f57b0
SHA1d81cef46477ef78fa32f801bfff17e0a98d43756
SHA25606b8ec81ba411095c93201e0a234f04f55470a3e6bf5ddad7548afbc1c2bf3b3
SHA512f8e244149f6595d10e8f63749b0f5d33977b062d1e47540e9433fdaf5a26c89a0416d27dbf0a53845f9c0f13ca849bfdf5ef6c37a15c5204980143c4390f206e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5e2a26f54658bef0c04e47fcb4576dccd
SHA10bc5e5f0248744a59a9abdb736c6065c7cd88d6a
SHA256e4e4f2079a76c79fd89aeb561d7f7207a982d4ce4b5adf1e0b698c6a7a5a7925
SHA512621cc3caaab227489a75e7cc303d9b8ec649d267ae374e0d22e0daccdd00ef33791a809b638febb3e691538552c7609dde8b6b5afebd543c50a336c3b552267e
-
Filesize
1KB
MD5bb5543ac55ae40f0de1e63c4db2a6ced
SHA1c5b64ef0ef9f9752f13664999b2f2b9e7f6a60e1
SHA256741a3974b3200e20d23243d671cd2b069e12d536b624e03dcb9732db106c2a20
SHA5121eac4ae6fe70aac42205c09ceeb3e5b2078aa2a22dbec5f5a59fa9e32c68ae4cb68bcbe9e1cee379b561ed6e1eef17655a252ccc261bf7747f49e61aae01e630
-
Filesize
5KB
MD5e376ec9d780c0d0e12e3577719a73060
SHA14ba5f44e857490f2824fff02cf7bcb4256e47990
SHA256063a26d59e505f6c7caf8634475963cff3551936ce3c0ec4083d90f4be49027b
SHA512aa3aa96c8e0266ceaa0bf9882c039c436f6b10283ca12875c08948985f113fb3d919bcf3a6ac8958256a356e39af235f8db34411991caeee5930bcc35bba3de9
-
Filesize
6KB
MD5f7e869a9c39bde924d959e7cc7396aa2
SHA1ec15eff2969f73702a0120271938e57aa087702f
SHA256594083af6a69a68fef2e5720650de1f1328aa71f6583204595d0403bd2df8304
SHA5124b368888f1d42ac795b9ac3499b0cde672ae78595233060009c17d975d65603367d5bda4566b46dc7df8fce4901e1e7a4d0ef634f6a3b385b2cfaff6d7b38aa7
-
Filesize
203B
MD5437e9cc98590ec19666626fe13e62b59
SHA1211c493608b0acf7fe13ce03522c72a7bcf2291a
SHA2561f8010c72c06f42ce8dac6a5d1c2ee841f90cf43c76aab841b268d6ee0377205
SHA5126b7bc17d4a197e33d766673498f86e4ccf5d7fb1d9ce820c28edaf936a7a6846cb2ebfba1367a3eea41d491cc6e69a34b49bfd109a5751745fc33a31ac8d3543
-
Filesize
201B
MD5b608d874b6179d810ad10dbb74ff3f13
SHA11604f4493d0ccdda22cb785f69aed59b787220c7
SHA25668582133ece9868d7da08b191d9fc6cb2ee10a9f680d96b5b319aa6625d11330
SHA5124b78d351da02d0df71d3d7ac1bd082efffcc4c95649923875d0ca4d4e64fb60e07076d34ad8df99b3c981b60498fe223ec0e0066e354195cc505b45dbe632297
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54d6d8715dc6b69f614d55e8aab5a460f
SHA1f0f13a2f2a96beba5a86b06760263d6219487c89
SHA2567418334c672bf12076fd3bdc0802d26f5a960233818c8544da1133be3a7e049e
SHA51282688e4da6a4642b0e54b38a14f36302cad798cf53c79b81b271596f78af0274a3473d39edce190229fde3fa6f163f8c88095a5f7d8be535743df64326ecfb15