remcos | hxxps://gofile[.]io/d/KRUCik

Analysis

max time kernel
77s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18/12/2024, 19:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/KRUCik

Score

10^/10

remcos wavesourceleaked defense_evasion discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3952	WaveSourceInstaller.exe
3992	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3992 set thread context of 4388	3992	remcos.exe	106

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 748523.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Remcos\remcos.exe\:SmartScreen:$DATA	WaveSourceInstaller.exe
File created	C:\ProgramData\Remcos\remcos.exe\:Zone.Identifier:$DATA	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
688	msedge.exe
688	msedge.exe
2976	identity_helper.exe
2976	identity_helper.exe
2004	msedge.exe
2004	msedge.exe
2060	msedge.exe
2060	msedge.exe
3992	remcos.exe
3992	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3992	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2304	688	msedge.exe	77
PID 688 wrote to memory of 2304	688	msedge.exe	77
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 868	688	msedge.exe	79
PID 688 wrote to memory of 868	688	msedge.exe	79
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/KRUCik
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7ffefe1d3cb8,0x7ffefe1d3cc8,0x7ffefe1d3cd8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3576

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:3952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3992
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:4388

Network

DNS

gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

gofile.io

IN A

Response

gofile.io

IN A

45.112.123.126
DNS

login.live.com

msedge.exe

Remote address:

8.8.8.8:53

Request

login.live.com

IN A

Response

login.live.com

IN CNAME

login.msa.msidentity.com

login.msa.msidentity.com

IN CNAME

www.tm.lg.prod.aadmsa.trafficmanager.net

www.tm.lg.prod.aadmsa.trafficmanager.net

IN CNAME

prdv4a.aadg.msidentity.com

prdv4a.aadg.msidentity.com

IN CNAME

www.tm.v4.a.prd.aadg.trafficmanager.net

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.23

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.69

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.75

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.71

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.68

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.4

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.71

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.73
DNS

ocsp.digicert.com

msedge.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

126.123.112.45.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

126.123.112.45.in-addr.arpa

IN PTR

Response
DNS

s.gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

s.gofile.io

IN A

Response

s.gofile.io

IN A

51.75.242.210
DNS

fonts.googleapis.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fonts.googleapis.com

IN A

Response

fonts.googleapis.com

IN A

64.233.184.95
DNS

250.11.243.136.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

250.11.243.136.in-addr.arpa

IN PTR

Response

250.11.243.136.in-addr.arpa

IN PTR

static25011243136clientsyour-serverde
GET

https://gofile.io/d/KRUCik

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /d/KRUCik HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:15 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"1cfa-19389589822"
content-encoding: gzip
GET

https://gofile.io/dist/css/output.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/output.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:15 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Sat, 14 Dec 2024 17:49:52 GMT
etag: W/"10905-193c64a854d"
content-encoding: gzip
GET

https://gofile.io/plugins/fontawesome/css/all.min.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /plugins/fontawesome/css/all.min.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:15 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"17906-19389589822"
content-encoding: gzip
GET

https://gofile.io/dist/js/global.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/global.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:15 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Wed, 04 Dec 2024 03:24:05 GMT
etag: W/"231b-1938fb24543"
content-encoding: gzip
GET

https://gofile.io/dist/js/framework.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/framework.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:15 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Sat, 14 Dec 2024 17:49:52 GMT
etag: W/"55ec8-193c64a8551"
content-encoding: gzip
GET

https://gofile.io/dist/js/blockies.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/blockies.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:15 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"55a-1938958981e"
content-encoding: gzip
GET

https://gofile.io/dist/img/logo-small-70.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/logo-small-70.png HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:16 GMT
content-type: image/png
content-length: 2367
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"93f-1938958981e"
GET

https://gofile.io/plugins/fontawesome/webfonts/fa-solid-900.woff2

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /plugins/fontawesome/webfonts/fa-solid-900.woff2 HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
origin: https://gofile.io
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:16 GMT
content-type: font/woff2
content-length: 157192
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:25 GMT
etag: W/"26608-1938958982a"
GET

https://gofile.io/plugins/fontawesome/webfonts/fa-brands-400.woff2

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /plugins/fontawesome/webfonts/fa-brands-400.woff2 HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
origin: https://gofile.io
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:16 GMT
content-type: font/woff2
content-length: 118072
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"1cd38-19389589822"
GET

https://gofile.io/dist/img/favicon32.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/favicon32.png HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:16 GMT
content-type: image/png
content-length: 903
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"387-1938958981e"
GET

https://gofile.io/contents/filemanager.html

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /contents/filemanager.html HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=j4UmRKAXBNlP4wmyL8kLjCJ04vSjlmUJ

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:17 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Wed, 04 Dec 2024 02:58:18 GMT
etag: W/"484e-1938f9aaa9f"
content-encoding: gzip
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

api.gofile.io

Remote address:

8.8.8.8:53

Request

api.gofile.io

IN A

Response

api.gofile.io

IN A

45.112.123.126
DNS

static.a-ads.com

Remote address:

8.8.8.8:53

Request

static.a-ads.com

IN A

Response

static.a-ads.com

IN CNAME

ad.a-ads.com

ad.a-ads.com

IN A

136.243.11.250
DNS

store5.gofile.io

Remote address:

8.8.8.8:53

Request

store5.gofile.io

IN A

Response

store5.gofile.io

IN A

31.14.70.244
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

ad.a-ads.com

Remote address:

8.8.8.8:53

Request

ad.a-ads.com

IN A

Response

ad.a-ads.com

IN A

78.46.33.196
DNS

163.20.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.20.217.172.in-addr.arpa

IN PTR

Response

163.20.217.172.in-addr.arpa

IN PTR

par10s49-in-f31e100net

163.20.217.172.in-addr.arpa

IN PTR

waw02s07-in-f3�H

163.20.217.172.in-addr.arpa

IN PTR

waw02s07-in-f163�H
DNS

244.70.14.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

244.70.14.31.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

fonts.gstatic.com

Remote address:

8.8.8.8:53

Request

fonts.gstatic.com

IN A

Response

fonts.gstatic.com

IN A

172.217.20.163
DNS

95.184.233.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.184.233.64.in-addr.arpa

IN PTR

Response

95.184.233.64.in-addr.arpa

IN PTR

wa-in-f951e100net
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
GET

https://s.gofile.io/js/script.js

msedge.exe

Remote address:

51.75.242.210:443

Request

GET /js/script.js HTTP/2.0
host: s.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

access-control-allow-origin: *
cache-control: public, max-age=86400, must-revalidate
content-type: application/javascript
cross-origin-resource-policy: cross-origin
date: Wed, 18 Dec 2024 19:47:16 GMT
server: Cowboy
x-content-type-options: nosniff
content-length: 1346
POST

https://api.gofile.io/accounts

msedge.exe

Remote address:

45.112.123.126:443

Request

POST /accounts HTTP/2.0
host: api.gofile.io
content-length: 0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:17 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"b2-IjtHwQFzk7QP5BSgWOwONuUWljc"
content-encoding: gzip
OPTIONS

https://api.gofile.io/accounts/website

msedge.exe

Remote address:

45.112.123.126:443

Request

OPTIONS /accounts/website HTTP/2.0
host: api.gofile.io
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization
origin: https://gofile.io
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:17 GMT
content-type: text/html; charset=utf-8
content-length: 8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
allow: GET,HEAD
etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
GET

https://api.gofile.io/accounts/website

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /accounts/website HTTP/2.0
host: api.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
sec-ch-ua-mobile: ?0
authorization: Bearer j4UmRKAXBNlP4wmyL8kLjCJ04vSjlmUJ
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:17 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"144-wSLr+UBVZfrCeKnfXOxYXefjqHc"
content-encoding: gzip
OPTIONS

https://api.gofile.io/contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

msedge.exe

Remote address:

45.112.123.126:443

Request

OPTIONS /contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1 HTTP/2.0
host: api.gofile.io
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization
origin: https://gofile.io
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:17 GMT
content-type: text/html; charset=utf-8
content-length: 8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
allow: GET,HEAD
etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
GET

https://api.gofile.io/contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1 HTTP/2.0
host: api.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
sec-ch-ua-mobile: ?0
authorization: Bearer j4UmRKAXBNlP4wmyL8kLjCJ04vSjlmUJ
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Wed, 18 Dec 2024 19:47:17 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"37c-3IRK1zFAmg+PFsnEdIGYQGYJ8dM"
content-encoding: gzip
POST

https://s.gofile.io/api/event

msedge.exe

Remote address:

51.75.242.210:443

Request

POST /api/event HTTP/2.0
host: s.gofile.io
content-length: 74
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
content-type: text/plain
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 202

access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers:
cache-control: max-age=0, private, must-revalidate
content-type: text/plain; charset=utf-8
date: Wed, 18 Dec 2024 19:47:16 GMT
server: Cowboy
x-request-id: GBJdKPWsI4A0K-zSAgdB
content-length: 2
GET

https://ad.a-ads.com/2059298?size=300x250

msedge.exe

Remote address:

78.46.33.196:443

Request

GET /2059298?size=300x250 HTTP/2.0
host: ad.a-ads.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx
date: Wed, 18 Dec 2024 19:47:18 GMT
content-type: text/html;charset=utf-8
vary: Accept-Encoding
vary: Accept-Encoding
status: 200 OK
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-powered-by: Phusion Passenger(R)
x-original-referer: https://gofile.io/
x-robots-tag: noindex, nofollow, nosnippet, noarchive
content-encoding: gzip
GET

https://static.a-ads.com/a-ads-banners/524450/300x250?region=eu-central-1

msedge.exe

Remote address:

136.243.11.250:443

Request

GET /a-ads-banners/524450/300x250?region=eu-central-1 HTTP/2.0
host: static.a-ads.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://ad.a-ads.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx
date: Wed, 18 Dec 2024 19:47:18 GMT
content-type: image/gif
content-length: 653583
x-amz-id-2: JT0fMGWXyurcvGPdoW3OYpNCCN0jdPgotu4NPSV3QB264TIjreGcQM3XicEwihSjH7R8GW6hv1b32QdO7xh04w==
x-amz-request-id: H5W4B8WS83D04YVY
x-amz-replication-status: COMPLETED
last-modified: Fri, 11 Oct 2024 09:13:19 GMT
etag: "37967b09f68b517683b0d06251fc6d5a"
x-amz-server-side-encryption: AES256
cache-control: max-age=315360000
x-amz-version-id: .KuAhEykmJCeWjP4rEMoEVInEb_Z8LqR
expires: Thu, 31 Dec 2037 23:55:55 GMT
accept-ranges: bytes
GET

https://store5.gofile.io/download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller.exe

msedge.exe

Remote address:

31.14.70.244:443

Request

GET /download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller.exe HTTP/2.0
host: store5.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-site
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=j4UmRKAXBNlP4wmyL8kLjCJ04vSjlmUJ

Response

HTTP/2.0 200

server: nginx/1.27.2
date: Wed, 18 Dec 2024 19:48:15 GMT
content-type: application/x-ms-dos-executable
content-length: 480768
accept-ranges: bytes
access-control-allow-headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
access-control-allow-origin: *
access-control-expose-headers: Cache-Control, Content-Encoding, Content-Range
content-disposition: attachment; filename*=UTF-8''WaveSourceInstaller.exe
last-modified: Wed, 18 Dec 2024 19:17:45 GMT

45.112.123.126:443

https://gofile.io/contents/filemanager.html

tls, http2

msedge.exe

11.3kB
431.2kB
202
335

HTTP Request

GET https://gofile.io/d/KRUCik

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/css/output.css

HTTP Request

GET https://gofile.io/plugins/fontawesome/css/all.min.css

HTTP Request

GET https://gofile.io/dist/js/global.js

HTTP Request

GET https://gofile.io/dist/js/framework.js

HTTP Request

GET https://gofile.io/dist/js/blockies.min.js

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/logo-small-70.png

HTTP Response

200

HTTP Request

GET https://gofile.io/plugins/fontawesome/webfonts/fa-solid-900.woff2

HTTP Request

GET https://gofile.io/plugins/fontawesome/webfonts/fa-brands-400.woff2

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/favicon32.png

HTTP Response

200

HTTP Request

GET https://gofile.io/contents/filemanager.html

HTTP Response

200
51.75.242.210:443

https://s.gofile.io/js/script.js

tls, http2

msedge.exe

2.2kB
6.2kB
15
15

HTTP Request

GET https://s.gofile.io/js/script.js

HTTP Response

200
45.112.123.126:443

https://api.gofile.io/contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

tls, http2

msedge.exe

2.5kB
10.7kB
21
28

HTTP Request

POST https://api.gofile.io/accounts

HTTP Response

200

HTTP Request

OPTIONS https://api.gofile.io/accounts/website

HTTP Response

200

HTTP Request

GET https://api.gofile.io/accounts/website

HTTP Response

200

HTTP Request

OPTIONS https://api.gofile.io/contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

HTTP Response

200

HTTP Request

GET https://api.gofile.io/contents/KRUCik?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

HTTP Response

200
51.75.242.210:443

https://s.gofile.io/api/event

tls, http2

msedge.exe

2.3kB
4.8kB
14
13

HTTP Request

POST https://s.gofile.io/api/event

HTTP Response

202
78.46.33.196:443

https://ad.a-ads.com/2059298?size=300x250

tls, http2

msedge.exe

2.0kB
12.0kB
17
20

HTTP Request

GET https://ad.a-ads.com/2059298?size=300x250

HTTP Response

200
136.243.11.250:443

https://static.a-ads.com/a-ads-banners/524450/300x250?region=eu-central-1

tls, http2

msedge.exe

13.2kB
681.1kB
262
500

HTTP Request

GET https://static.a-ads.com/a-ads-banners/524450/300x250?region=eu-central-1

HTTP Response

200
31.14.70.244:443

https://store5.gofile.io/download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller.exe

tls, http2

msedge.exe

10.5kB
503.9kB
198
367

HTTP Request

GET https://store5.gofile.io/download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller.exe

HTTP Response

200
31.14.70.244:443

store5.gofile.io

tls, http2

msedge.exe

1.0kB
4.6kB
10
9

8.8.8.8:53

gofile.io

dns

msedge.exe

447 B
990 B
7
7

DNS Request

gofile.io

DNS Response

45.112.123.126

DNS Request

login.live.com

DNS Response

20.190.159.23

40.126.31.69

20.190.159.75

20.190.159.71

20.190.159.68

20.190.159.4

40.126.31.71

40.126.31.73

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

126.123.112.45.in-addr.arpa

DNS Request

s.gofile.io

DNS Response

51.75.242.210

DNS Request

fonts.googleapis.com

DNS Response

64.233.184.95

DNS Request

250.11.243.136.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

255 B
406 B
4
4

DNS Request

23.159.190.20.in-addr.arpa

DNS Request

api.gofile.io

DNS Response

45.112.123.126

DNS Request

static.a-ads.com

DNS Response

136.243.11.250

DNS Request

store5.gofile.io

DNS Response

31.14.70.244
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

276 B
495 B
4
4

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

ad.a-ads.com

DNS Response

78.46.33.196

DNS Request

163.20.217.172.in-addr.arpa

DNS Request

244.70.14.31.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

282 B
456 B
4
4

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

fonts.gstatic.com

DNS Response

172.217.20.163

DNS Request

95.184.233.64.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
224.0.0.251:5353

586 B
9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
69fbe8ffdb18ef45a6f8ec2d42661f9a

SHA1
30a84209df3ebed0ac49603dd816f87c1380ec5a

SHA256
e75b34c289eaf6848933c203135d78f122fcb86216084fc33ef3e2f80de7b344

SHA512
4d03576db71eba38d11843244396fff23caaeb39e72275281b5e2e3fafa3d24e93290e31b06b975b10adfedfdd581b6930e900a0ed66981207c8073e17baef79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
d6712d27913bee4f34788253c641e6c1

SHA1
792aa473ca6df73d328bd65a68dd4e25fb20e0bf

SHA256
7496693478f46ee0bc1752842e6c09a85770699a5975d680e7f0bc1c3106603d

SHA512
66ec9228f91eef062e6987363d0513a1bf301011a35f65e3cd10bf123f69e9e06b9c329b3502fb5902ca4c5c389572c5c9773aad0b55a6a2c96d59bc0a680dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33f9191d9c406d4f48cc44f511b4b3e9

SHA1
2f370a2b1a697a9ed4452e6dbbf9ead49a3fcfec

SHA256
1785bc1c86b744b5d69262efeb0114d9e01767211822031894080e1a1f7c49e1

SHA512
7a44c4db214a16e088eea80ac68da6cfac8027148f6be2d734745200728e4f2ca1d7b1e91a62e7156f89fd2a71ed090ca26cf09f5462903a418a77860f64c2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5f7ec7fe0b175ef2df873820ffa36d4

SHA1
bef532a5a1ef572b10565ef40a5e4642ca19616e

SHA256
7e1e05cdca376e998871d4b2f883f8c806e33a21498ab1bc034d86bf00572539

SHA512
211dd6e82be6535d13c21df2845af8f76ccdec81da0ff7a7b71ee2dc91ad5a2f6c645e720ff4af8f7c7b7246796b55ef2cbe5a3a678fba0c9f1131991826a54d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f5b854fd2c55ddd1059ff0f5db509989

SHA1
337b712d5548cf22ad8149c9e7eb7577b4be079f

SHA256
9d7bf2f9508245b35a0487f789159fe5561f5d41ec5ccfd5cf4e4973272ca512

SHA512
20562bef88d2ac96eea6a72fc67e64adab55a2c2009165a0e06380d4740bd4c05fd6f583293dff480a05732816f6c9b02ece075c5b9a678c88c79a7868ba4f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3cd2721d64f4b2002a96ecba33a0641

SHA1
0b7ceb4a0b7f5dccd009aad8249a6a0057f8bbdd

SHA256
9d42ab26d8c77b4a849634541b157eaa4f8c8285b1714f482803434266c2763f

SHA512
4b4eec27fbe20ba20d3ca314732d14e6b2e28e035972e0e8fd6e93c5f14d33f44ad3ef0f353fd9fdd0a082dd35c56aea7c2c5c2baaa9ada0195b87dbd1a8a443

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 748523.crdownload

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4388-178-0x0000000000B40000-0x0000000000BBF000-memory.dmp

Filesize
508KB

Download
memory/4388-179-0x0000000000B40000-0x0000000000BBF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15